“Calhoun 


Institutional Archive of the Naval Postgraduate School 





Calhoun: The NPS Institutional Archive 
DSpace Repository 


Theses and Dissertations 1. Thesis and Dissertation Collection, all items 


1989-09 


Cognitive passwords: the key for effective 
access control 


Hulsey, John Douglas 


Monterey, California. Naval Postgraduate School 
http://ndl.handle.net/10945/26919 


This publication is a work of the U.S. Government as defined in Title 17, United 
States Code, Section 101. Copyright protection is not available for this work in the 
United States. 


Downloaded from NPS Archive: Calhoun 


Calhoun is the Naval Postgraduate School's public access digital repository for 
| (8 D U DLEY research materials and institutional publications created by the NPS community. 
«ist Ser Calhoun is named for Professor of Mathematics Guy K. Calhoun, NPS's first 


NY KNOX appointed — and published -- scholarly author. 

ies) LIBRARY Dudley Knox Library / Naval Postgraduate School 

411 Dyer Road / 1 University Circle 
Monterey, California USA 93943 





http://www.nps.edu/library 


ap Rai atin Patrat nina ta eine Tay tae laa a ar ie ee te Ce tre tillage titative tment treet inten de mel I Nati hee, te 
: ch Cert ee es Se EOP OnoE yr Oe oe ee ee te) Pay areas er ep star ot epi, ete) peta hh Me en Been te ee 
ye te] Ce Ne CT eral prio.  hbtnienttek ech ee whl hee for lanier ape appt ogre peat oy oP eee 
$7 en A Tee ro rapes Ce ragey rn Teo rr pte ery P ap pyr © ep BA Be Qik Ce on So Pay prea phere oe ee 
AT! ee ee oe ae Le ney TY eT eetiioa P72 err tener te ee Neer 
as Lira Wr bared. § plead bees hey ey Ser errr erat bec appro hea) Orr era ere RS rere en See eel 
E3059 10, MAS. Spa. Ge. he DO USAR 59 ge 1s, abi d Naren et ee ee ore it Fora a align tne 
ee, ab YL Sear vee ae ie iP ae omen cer Be Soe eee ten cee, pire CRP el Ces rey et ry) ry ase oer eee avy er 
wy 4g n Luke Le a hae ee Lieder etey ie htt Le aed calee harhacttde tor tole Le Poe este ee EYE Piet WL Vy Ore FT SS ery We ey eon ll te te ee 
Cae Ve ee) aH Ale othe He A ane" bd dapeels <GsAiee autel ether Site ye ba pk he ha detede Serr etrore ware Rede hike Men Mi eee lee ee 
"Sra ae bP act hate: oeee.) owen a) a Pew ey en ee. Sy ee eee oe Baris Sogn ee re ee ee ee eee 
5 : 2 tt Yee ee ee ne (he opera Pr oe etal) peer et tn wr er be apna SPT I Re el ee oe ey 
5 a OF BAA AL err Pr EN oa eae Sa tere te es Lyra ry Shctlanis Fi diawe ih den keto peeing taint t tke tah he ee pe eee ey ne ee ee a 
ee i ee Pe Ce or te ee a A eltr cryrre el, ee ee ee ere Ye ey Sethi ahaha Meectieed mide tee toe nit ta TL) een ee ee Tt a 
bhp Mail ie ab tee dal rh Week MANE omdd eg eid: Bersrvcse yr ti ee eae ee ee ed eee Pk de he tat duet tee ore ett eS Ce Te eh ee awe 
hak Ye a Bren e i aaa pth Mr pt he eee etree Mee Foe de ee ae ae eS Oe eS le ty eee oer tO oe Oe Wy sD ae ay rr Geipan eoeenten beareeiny wong 
ee ti det Bed eee de lrh-setih td, coy Gch Shoes Shadi. Mae Wao oe pepper hang pity anenae tes pha, coer ter indy t~ D> eer oer ew Sry rt assent oer 


VA Chee x sed% WOM om Kehle 018° 4.9: GsQide elton Codie tone to et Se ee BR Se te ie Nennnth sehen bate Rett ee ae ee oe ee oe a 
SB ere ee OL eh Athy) ek Ea) : 


Lie ei eile eh Tee Lk Le te a etl tit ht eel oe Prt ee eee Lar ety a7 w yw arnreapste 
ee i eee ee ee ee elne Re ies tedioaerne sire bbe ee he aT SLY ee rere SOREN E Oo ine eta te i ledidientiliniaegnallimmerent est ee 
oe eaters ie atric bite Moe te te pe ptr emery hep lated Reidel lls MeL Ba eesti Lea tata inal Soaks radngruigelgate ephwetainda ta rtetcbommtartne tart uneiae adaue ae Nn 
niente“ ih Mena San) a ON MO Se ara ie ear Sar Pe banda rly opp Peay omer ar target ep any mer Bor neh ar Sy eosean-totoremarenten wie neers 
E ea Ce Se ee ee ee a et Oy PER ee ey Oe Sy Sree Ses ar Ber Wy try Ore err eery ee ery er 
i Berra ree trey ir Sather sages tamsrenia rr Vis nadia lain thse Reale aed tiie ease tip Deadlanaatin Heog Neral ta lathinin el bagra a tatlo Maree ee 
UO eerie yc" 7 a a “ea , Me: Aer hrm. Ml Ree CTT Do Ue te tt LA he braher Writs ee teeter preylod bet Lhasa epetine! Y 
. sy . Md : “t Ni gl! ne it) BARD 1- OA MOR Bee | Bek hk isd Adal tad 0» hte ad Ce Le ee te ie eet We) Cry eee res 
. Oo f n Oa, oe ee ee ee ee ee tr ee WW ee Ste eeroute Pee ee ee ely ert we rer ee ee ee ee eT et ee ee ees ee res as eee oem tera 
: Me vk, Ms rede tes id he Pa barat aie ae, plnatia Mier Ladd Unb aglaaean neater te Mo tol ae hoe Wie tee te © Clap opty: Ser Ppt tp elenpmerapcnssrin ott | ori 
- b ool ei SD ae me eel aig” wR i eclir-eatet etter he eran Sot aeely Mien baker tan Gol lear I Let Cheha Toe erry. 9 Noy apr pie marry ereren ware 
A e1 o n nan a FI ey rer eae a» Ww ey aR Pere ee Were pe Pe We ar weet rene Be Tete a ee LO a eee crn CON eee Te Pe eign tees ideale nea tinant ae 
ad : n.d Q . 4 Oe er ce 6 2.0] Ye Be ™ a hae Pa Ba Ce at Poke ie Mee wry ty et m et yey eT ty evr ee or tot ev, iy OY eee or ee ere ape eG crs 
' . 4 a | ea XN we a Se ee rrr ke ee Po th ae aL ok wie ke re hyp erty Cee eave wet es ee yl) ee Se SP ed ee ee Pe flere span Serr ype ae 
" : a ¥ tee bere a etal ed Gok die Fat Mer happen, ee ee | ae a etemererebere. Ay aaeperees 
Cre es ee re betel Alea] fo Math Cie eee ee ee ee ee TT) Pe ee ow eo fo? wee oe nw yy rap perth Py ey srry CN Fee ee 
ao a ee. oe ee ek eee 8 eek Le Le Te Ton ee ere rere were TG ceo reer bG ro iiedGe eet 
j nes > . i de .  lialiad ad Re ali a RM a ot ees EP oe Oe eee Cee en ae ie reed ee ee ee me bony epyoupar ty or rep and lay agemenhrmmerie 5 m 
t Leta tech ATL tL em as ETM Sere Sty tt YY ap ere etre or or ape ees dean de ie eel cr ee ore ee ee ee 
lel ee a Ne ee ee nee ne ee Ere die ete ite Me eh Lele ah tee ne ee ar Arr Cetin beer ae 
, de eu 8 Lad SDD Rm Ria tem 168 Wale Me tS Pea rere ert St Le ee Be er ee eee Te ee ee rey Oa 
M ee ee *. ai . | eel a ie Pee eee OMe RO oe ee ee Se eer ee a eee tt era, we tT We or or Pitot aI to RBM Bm Re ewick Be 1 O64 A Real Rat ntact Aa dees 
o o a) a, on) 5 it ute Aa Be eG ee See Set oO Wert ee ee bret kk Setbagslid beta hah tots he Suh Mle tbat Ledaslianlede ele SP dele thet. Hoeeeedst beta th Ne tor delet bettie t Lett wietrgratitio hes 
en ' ry : ar a) Ae 8am made @ A | Vain © oe Parr RE Da etd ee TL ea Ue Ye a oe re SVT we rer ern Ye Bee Wy ap er rape ee toe Ngee inten y-erty- piri preted by y~evaymemes-taryms 
7s Pala: ee tract - ayers IE tek A ee LAD CO ee ee erate ee er wet Ye LT belated kt LL td s sdedidinetetaletieentacieats 
pO | & i 8 a o's ¢ ‘a Oy SL tL all ae a ee ee Le ee} tly aoe, Quit ease en ie hia Be a per orp ape nd ct ee et ee, Pe ee Pee eens 





Pe eee ew Wee Wy tara 
F bay 
AY wey ne pare 




























































. ry 16 ¢ @2A o& we PCT ee aay ee ee ee en ee i Peer ety tt | Sh items uaa deer wet tac bt dk he le ee ee Ek ia oat xkael ath AEE Sel a a Sil ot nchammtetere lam od saeneed 
: . +4 i eh | a Re es Sarees POR Ee RR Ye Tee OPEN notre} ined ash es ocean ote Deb iis tana as a/.0e, bres ers ata Vaan ade keel anpeiemesiakt do hdon mn teinnscerrobareremema ded 
® ive Pe ae eb Le Je Yee ree Ye a eer ee ys ct YE) wt oe ee ee Oe ot ee Epler pal clear beta me Berdaame | eshatetaeitaah Rasths nthe teae asa ne-aaieciniaimemanisihaenian annie testantl 
bd s a : rE a] bs oe Soe. ie oe cw tha © ee ws Ca ete, aon OL ele petiala Meth Men tty Se Relea t lineivahs tr Meet eM andihed celta arta! Ree ee ete ene ae 
. = 2 OD C “s a med a Lh ee) oe Pree oe eee te oer te) ee ee ew eer ed oe ee) arelaste @dcbale deeb. ae bd ee ed a | I ‘the 
: a : bE ers . : by SFA oe heal ay Rid Pea Leni lant ate lie Ln ap thle Lae eco oappmapheAeder Secpaneasicde tovenchfonsqacapton donno oo edt repartee oneriedenactonent’ TE oy ete ee mee 
ru FI Py vA ke Ce eee ee ry rs Mart toe ee rr eee. A 1 aes eptasnae we ee ek ty es ee ee Clothiers Poveauatntooe Splashatie telaariegrtleds ey ma, epee erererery ee te tdi Sah bale tael 
5 r a Lae « ‘ee | ‘ ’ ae ev? a a 4 he re a) ty er) Oe ee ee ee ee eer gee ee Oe ee oe ae 
4 . M 3 a afar ey ik RY pbs alters w i re Ce he rl ee SPO ee ak Oe ea ey tere oe Smet Pena NET ar Deny an pe nna nD Pee er Sap PRE AY TSE INDy 
b aa a a ow Oe a ei i PT byte te Ch eee creek eet ee ee rn et eke) ry penn Oe werent eee pene fee ya 
be lela bath recon Irs duampaus toes oe weedy: m™ Lede tote Lon latled tite ee tl eee len cnet 
ar oie eh: A Peary te ® aa oe a ee rie Rhee rere 7 oe Fie AE UURDAEER, @ DeRy oth el Pesos ifsc teeny heer pie: Cy ter trtte hd aeee py are a eR Pp pel antnget on 
v : ot car 7 J = RAY Wy LS a | CTA ee ee ee | ¥ m an Ge Cia? ey! en Pe ~—, roy arey spn rer eer 7 Am TT ee naratozanm A 

2 ; . cdl . iy / eer es rs ee rope Tree ret S 


wa a rr eT ee) Ce eee ee eo wrt en Soe) tt eeewe ee Veo PaO iY Tr tera en 

. = a a Meek Ce) Cert td td, te tn Sadie ee ee ee pus oe Rev praareet ee et ee ee ee ad eae sie i ss 
‘ ee ee er CS ee ee ae ers Ved eT yy ere ye yaar pov ey weer PT ee ae Poe eee a parerbehlryt i Ags llape, bee fe ee taeda nel 
‘ 4 Hi b> Lockett eyed ro tartas ee poy eb hey ested dayne age ble Ciaiehy cages iairec intend serine oe ee 
ee oan ry here) Eu OO ee ee ee oe 2 ee nS) Pe eee Pt Lt palate wie Sheds edit Loe te eth ae et ee et ee areata Oe pk peter beste tarseen ae 

ons ‘ ree Sas ae WS AR ee Ape aap, Sy beam Ac pe res Per ea ae ee ee Ro ig eter Bei Nr aruepeyapaey mh ee ee ee ey ee 

can 















Cea he 
de marae a bt) 
Pee ee oe ee ec. Te a Ve 
; ; e Pe A, 200 8 P Pye ar Cee i eC Pe eee te er Pea ht on a 





























6 *@ #85 Sa ; ee SC ere pare, he, Sai 
. . ne a N tae Ae MR aes thle aay ee ee eee meet ee ty eet en ed wonaletle tym, Pelabercas we te Suet! 7 rey 
e py +4 ae ry . na Pry ae a nh ed Che bodes PS 1 ee he Sa a i ero sales lie hy 7 brite vd eed Domieeriebr saeinereterneeteeta a it (peste lasan ipndita Secs eee vunsten Anata temtarinel 
* by "¢ rs a ® ¢ «4 * arr) sore ee) ce Site ie Derm n e2 Ce Plating tntterdades Ne oe POP etn to epee Seana DP itchetr bees) Breeder tae teenie! ae 
= — : tee =p a, ae a olde Lh tLe A re dete repent peerage eer aia Se idehirastder taal betel Thelat ce Gite ratdual torlsdhetoitseeadtin tae i 
APL y Ly a9 8 e om! cy ed al Se ie a Cor esr yy ere & taritespreas etn eM e Spel heme eae teen er ee ee ee ey Fy Sp ror gd 
- . ry r ‘2 * a p . oe a . ee Ces res Sra Da der ha Flite PE ee Ye om) a EPL om Lay ato) ee Prag er epeerea 7 PUY vin lore, Lopes Nesey Sy ney Oar 6s Sears 
: bes 2 | ray Pt ee nt eet Cte eee ey ye ROM BF Ch tered islet ee te he tr rt. ee Wietecarodh oe reine Seager pemeat eto 
A ar Pa f RN ee et ets ek rrr ot ene Wr eperer ry \ ~ TELA rca aca Te tee Baa peter yy E Sod 
ie P 7 <2 ee vy de oe ee te reed ie OL yy ee YS paras ts nb dette ait! baie at i CUR ot cre! i, | 
© an “a s beth Sn UL ei dey spain ali Lola 1 te tee Mn eee bye ba Pal eas ps Sart x pry Olan nd hing shfferna roan taggin 
i b b ee ta D 7 GG ae ik {4 m afererk ts tie - when'b-e a sealade | eu.e Bader te. watngh, ito tees) pAceraaerbea ch, Serb verre a taNaS: Mr es apa erences eee bare we 
U LY era & an) > Poa ' he, beth ee ee Ps thd Me i en ee ene ee nee ead ae De Owe he men by yy 1 * Leumberknde de ckotasbedpaielh—aritebendraiaenentoene tae 
7 : 2 Ces Same ce eRe 8 % sos Ge ee On Dee nee ane ee MA ed ee re tere he yee) ats ce pty ries rer}; hs rage ripbrerar dat ecer om oh 
: bs fe & u' r o. cy “eh ee Las OS TAY ot aod ta ihe eee oe oo ee re bat tow pling He pe Be mg teee Recah fme tp art ree Cork gs 
O . Seth a Pee 4 pdeein iM, Amie © & Ome Ads eyy Cyd eee Crytek red Rend 


af She keen ed re i pram =e = ddan 
bY ‘ 7. 8 Oy a re : ! ey oa oe Se Oe Oe eee Le 7 ve ayy re fore St St Ler en ee CN ai Meese Prd 4 oe wuneey bret fae ro ae paces eer 
a) tne * at a ok + * A an Ye de ie i et ee te a a) homplew, be Hay 4 ert ee te ee eer i ee oe dyes my ery phe bibe-Td hedrtied ila oh iit arte 
- * A - N ‘ 9 Pe thi ee eer ieee i Mem Ctr OY we Or far Wee, Weer ty RAY Poin nh Seah chy tel Fhe eg bh tte wa he ‘peode een 
ey ery “An¥s beret Me @ tyes iar) tte Cae Oe eee ee ere Fy ee yg eat eek | Easier se Shy te cihemts 
* me aan fi ee) > peg . 4 Te err Sites earns Ed tye thw hk vrs Jo pan brn > hen tots te behat reg ee rm Cee Sa 

. i 7; ae 2 SA LOORL B/G 8 Pert ye Tm a eh oS fe’ , Pade Vn oor 9 te Ler Try ol a, Gry d, wie irra it 1 Puneet peat pr be 9 tags 
4 , F Ph ay ae, vn Sted err fine 5 >a ne boy meee ety eerie het tai ae Seb ee 2347 e ae eee Sao ba 
S r i a a te Seah oe CTs 5 om Cer) cod en ee a a at yy Ce aos Ce 
*¢@ a2 © hh " a 4 eS Nes ar aoe arte 6 fey! 1 ao 4 eed be ety ce 5 dos by +" aM s Reset med pep eb babe ki ad 

” i or a aAGu a att ty Rho “x 1 ae ee er me ad ery Res bit) Pee A, Piru — iy ag RAIS iM y deg deep our ed wt dhe t stg: A, Seale 

elas bs a ea Pa Le Sed oer 8 Serer bled tenes octane ed es ited die, Aart hetg ache rma: eer ae 



































fr at Pi aes 4 
rn a fos 4. bitte cde tile ie Johrent  deietas 249104 Maile evr Yad ae RYT S ted toa at 
Py SO a ~¢ tae ** ee he nope tt vote we ate oa a abner nob ee Sa es caters teem es 
Ca) bk ee oe es UF Pi Py b Sa ee | EL TL eee ee each ehy bas om a 
MeFi aan nel aca fh. Be, afta nso! ef BE mal Uhp te rede wae © ra er. Foe bpbde te Pe tI grr paralytic a7 
5 , ot ee SL Bh Yi AN hee te 3hpeal © POV er Tye ete § Rémin, bimihl ey eG! he Siac afi ed ete Iman hes crea Seer eiret et 
Fs ee Cen ea ae Poe Aw PY a te rr 7 Meee, rv ad itt ibs tite ee Peny es Day) ey bi tnbeh 1 ey aie phen Re er racl leet rhe ter 
a a ie ee I i wi Lie he a 9 Pe eee ht Paes a) a ae. en. res at” ot WAG an ot a Pe ee by tes rel bed 4 —— fo ple ey Bee te) bad Pett re 
n Ce a 7 LU a tind> lee dt Payee ed teres Pr nd rma eT ee aS ar aor pe ar ae ie +) ee ae Pe ee as 
rs ne a mr FN ite be Ur td 3 ¥f beater t eal fe ea ett bh rao % ar fine 


o : => Oe Ls Py > a -* sare oa o ae hs Se RG Fg ya Pea Pe enya eter, Ot Pee Pre oe < pet ats 
a a iff 10% ¢ Pe i ps 2 ane a 7 F Fy fe Laeee vers toe Ae depend hd adr ee hs n> ate oad Andes Se ed cos or ed Ln ili oprirec ae 
>) +e 

a 





eo ne, Senta a cer ar ioe tm 
n i 7 ¥ on 2) ect ao ae TT ana er 
i 
















i oo = Ve S ae ; ae wi Pees ste ee ed ae “kas VS rgetlnd far “ebay efe/m fale /hode sung td ibe ata, at Moped br fat 3 herrabartr ie Pod 
tat 1d Ce eT ‘an ae Oras whe tg "hy “Teg % ee ee ne or Th ah ek a Aw nad kf hates, open merert vi rs Khas rae 8S xy SGT lek ott ‘ya’ CLE aa o Sead Seat Sella te~te on 2 ee mee? 
. ° i ree ¢ fort PATE Rime Re as Ee NEM PRIS, 0.4 BS 08 a 8d? Pe) Ned e Av meses» oe 4 es, eee ey rae 5 ere ae yee” — pes 
Cn Pes a p oy 7 Pa Pe ee ee 7 eee NE a. bie hel a RU $ / En Poh: Aes : bree ne tek Wipe pie res t 
Po o* by bs mt startin af oe ee bay f aL fad “nin *' a UP ae et Yee ee PS se val PN moife tals Leda l te ool LET Tere 7 Cs rr 
. ' ay °° i t ‘. - ' SIG a ar Conan 2 “ a wees yet san 5 SAtg Wie Mey SE G cbt : Se Ab bt wee i te raging Mose Pr as St he Nee ming? 
- * 4 oe0 Rab 5 Ch eo ot ae be! ae Rehr yeseere ‘ iret. pe sie spre het: at Oa) ea ks © Geka 4 te delete bi i te $e en ra i= 
ry OT * *~. Fy J >» long & Ces ee rT wt “ev Fi he Pl cap hs Aafia? i fe rate sped Sie Bret ‘ ad esd, ce 5 ips Seas Stas cate tees Por 
Cs * Ps ° Ps a reer y ra OI 7s 5 . oe nd rea BO Sy fea ig a ee ee tS ee en Fe ath ‘¥ Wa pyr Cate hecrnls beia | F jean, | 5 raed Seas t™ Re eee 
. me2 a ee aay ‘ wt a : m1 i Perec § rats Ls wa - ofe at 7 est Some Sow wees 
‘ : oe eee Pa LY, rn cya? Dilla d bad Ror beset tain & © ote oe Gl bee 4, ee om aE eu eta pug as dy beh, Sr Ae rote os 
hi "Be ty iy ‘ Se Th +e, ee oa Se A PS eek oe) Fee ee ek 
eee 2 rhedet ri ek ee ee aS a ee eo wan 
CS fein hae ad *, be len yo en) ‘sap Be be ke aE 
Rt A eR LS, Ea Ch : ae ot! 
iy 4 Ree ieres oor ies 
ieee 


. , Cee ie ab : 
aed Ce Roe fe f 5 reas LAG SS ee ee 
Be Tver; Posh h eats Lat basinal Bend = BS tg 
oe Sy a aed ey mo oon A Sees chen ors 
ae a Perret a ie FL er pared cde vr el 
thd Ny Bi by rr A tte ae oe ME a roan a 
eee: ny id ain be tad! Bae oa pe MP Et See ae poy Fr 
{wo ° % —“ ee, a OT en he pore ey J = eas ft. — 
eo Sly PAR eae te) fei rier ahG teh etal one ete a eR 3 
er a ee er acd vy i a F ee fo a eet aoa aed ot ee ie ieee he J Peer Pee te oe 3 pate 
4 * 6 kewegy Cre at a Wat ew eae oY tat ¢ iin. aes Rb nde thi baa ee en soars KoRerie ten a 
i a n swe bd = il St = 
fi tt Nya” ene See ; bap Ph 8 Ve ak arti sf te RE a ern ‘ ee ta paki 
rey j A Ris {7 a) he 7 es Fe ’ ning Tie, Ve rede mans 2 ere TM Shae. 2" 
oH ee are Patek oe Peete eee D&S ie oe Bas ee ey 
ear re ee ie Fn hake te o oP pe - ho o> ee ieee ET 
i et th ar ie Be a oie wera PEG at eo ee 
a a Yi, aca Ar a 24 ee * Poa Ege > Pe emer ently 
ak ae es aE Amy me 9 ae AOr Tce ae 
eee ARE Ree A Qe, a hate 5 epee Tag : 
Fy tears A oe ie rotate " eh ee Nase yA bod ta SD PLE Reb ae 
Cra J ee aed is c 
BS Anes, Pitas PCr aS Ee Kiar bbs bo tat Car Rete te Epa get Paete 
* ‘ ; f-e .cety he i249 Dey we ts 
eee re ey cA LAY Ft st ee he £ pin area Re 8 Pa pp) BI ner Pt ee ES Ss 
ee ee ie ‘ Fiat Day Fact rs 3 Ee Siete ee Boe 9 pari ESTEE 
iby, ae) a Tre it Ss eee Ore? 2h tas ed ae i le ee pele 
ok 


" z gar ito tee Lee ab or a 
an (ss HANS fs neach Ar fad tow} ease ae 

















































ry 
ra) Pad ha eek Scot) er , * : 
i ied LL) a AL Pte fey 

7? . 7 PY a Wet a ol ke 
fm he. eres Pea WaT eae 
_! ie Ths ee tS Od ' Riese Fate ase 
1 uf. - eas Sign dhe te" eee 





cy 























AS 








as bbb oh aD 





a 














PA ys 
- fy Pere oF 
"fe Fe a 
H 





Eve $7 Oey Reon ihe cite 

" c : Thing “AE. “eR hy 2. a fern ez ta 

- - = rd = ed $ A Eck Ce a oy ie} eeeeriss : Diet ge oe 

2 Par oy hee ee) rey Xe Pe regu e Eee bee ied tegen 
5 f f y's fs He i ie oe Si Soe. 

ve i a3 a Fey tar SEY POPS og 


“ROT 
oes : ie Gre pind oF aed 




















Cy ei m ax 
tte ee ee te, 
POE Se ALL ig Pah 
ib tbat ts oO 
ew. ta th abe ad 
See ep tee 
Sha! 6 te Et Beate deo 


ry . Y ro Fe Ga re) ce oi er re 
a Lede ol i 

ree 
Le Ll aed . 
w or ft fe Ut 2.8 ot Pa 

Ie ee Ge ee ee Ce ae OR Pe Le ee Pon 
. . _ 5 = ee Cr % er eer Py 6 Agee Cita 
o Lad a Lae iy Seas a SS f ay oe sl peer As 8 2 Pr re ae ee ee Per Tc he aw ape a Fe ites Pe Eee eo om 
Ce ire ne er ie a re er eee | ete) eee > PPT | ee Toth cP hae er eee ers) or Pz pt pe a e. Sage a + pe! “8 Peed Foe ens Pe 
Lc e . " oa ny a o1 ee a bea CL Se el ee eT, Ce Poy oes ae ee ed PAR Aad datet, tert Seger Pay f wat peg te rey ite tna EMER Po fot 
bd s : 7 . . ISH eee eb ot euNt gy & . s rats Le ae ke ie ee ve LY +r yes C re 7 ieee Baan wr 
ar r ‘4 ar | a ear re ra Si ters oe LU obey et Moa Rae, re a ee + fe Bt = et ees Pa ee fe epee Ex pei hones he Ua ROES, " cS 
P : Cae ttt ede ree, Fee TPE EEMS £ Ob 

=! +d ae Paes Rae ee £ Bgl ope hr ce 


Ce “ Poe] - bes) 
Ct eh 9 F Ee] > fi a NS tt i or hee bac Lath = e 6 
rg e ae Ay ‘8 iY Cae eT Le ee) E mM € iy ‘ a iene ee: Pe ppl tate Le —re 
pb ae ee eT Ee at Peer ae PES BBE in} de Raley Pie 
er : eer pee ieet ise rs ye 
ar wa i a Lig ee - f 7h! ag Pert a tae -, 
i ee ws Wa, © os on Pass f mn A fee ie L ih oe Se esertre SES ERE SEER. LUE ES, SUPE ON EET: 
Pt etal fo Sse. Ft* ad A Ss 43 - Pp ee ee, Mela FRE "820 PT LT 
er eee eee re eh ca ae} 4 TL Cee Teel ele tata eae 
a dat Do Co es Pe al ek aera = a ora erg Pee aati og ae ries: mp 
Pa ae he | Pre fetily, otk iol, ho Nae! 
SP ar id at atta aor 
q ers Pe eres Pe bt cia tad 





Wise a 
n ore foe a 

te ow eee jek cigt but ok eri 
nA AE pt Poe ak ae Pd 




















P 








. Ln tee ge cy "8 oad oY el r ae) Ceara el wail Jy Wald ba be aa Se hee CR Led oY “ew °% ry ff. 
bd ® ry e r § ' a Par ee ae ee Pak ay Te ae 2 a ae) a 8 flevn ee tapi ofp ‘ ‘ y 
. Le A Pedp sg 2 6 46" flota Te oe bed 
wR fis et gee e rT D 
aay (ee ee ts 
Ce tS tee eo f feat 039% 
Pur ra ' 










































Py 
. | . °° £ « ee oth bic ee 
n rea ft P 

D f se =* 1 . Po ee ee ee 

% Fd e e cy ' er ey cas oe ro 
* ciate ee . Cad Ce hl he be Le a ee 

4 a os @-e ard ee ad a 


nn i a Ye | Ce re Pe r 




















Pa Bide Boge to 
prea eee e7rs ee BR Pt ee 
; ee “ Rabie tesoe PO ee at gan om Eom La de prehemntt tt gan a 
P rT reese ees chs reg! F $e; Tol alata atell eal tet: Se ign Poo! Chere 2 
. re . f: fer sl ; BEL Ha ane : Reh Ps Cee. ay We ora eB Pore eae er ed rosie og se wi aa mh Oe ie lea eee eal a ae ES halal de gh aoe ae 
* ar) Se Sw TCL COMMON TT, ce ye Ce Far Abad a Me ad # Ree H Cea nae Me rat ae oe Pape i Ct ato ota besa yma aie ot Rho TE ips Se 
be ale a Sas ite ° ne PELE ri eo Ae er ae kT ee er ee ake . f o€ 7) Pert tn re ete id se gigi s Rolie slat eet Le tase Cline St at oa ca ah Deir tt alae Ai Dc alae tt tere eget 
e A nl 5 ie . Danae) BE IEC ayeo et? Pa ee eee ee TT, LY a ot or Tee a an JAF EPO Lo Se er a a le rN le lal ad ceed Del dee hk eed OE ol hes ated AD ad ee ert Palade 
. Pee. a ad cere olf # aK ee ee ee als & er te Pot a ee eee poten $2: Pre oe ie Riad rary. ea ert ett eh ee ee he i Pe ee eae eee 
es ae es @ en ‘ “See cin pes aa ze te . < eo a Pues rien) p it. er oa ot Pteegee eae FPP hate & Platorer ig by Pe ed ee et oY oe ae ore Died a pees Le dentah bet atl alain as Seal tater 
' . Py . oh oe Se i 1 ae eerie Sokoue Mart Pr i en” 2 “ne a Neto ae Ld a Se PR LS hehe iw. dhs Nek I 1S Nae ide et al Reece ae Aah tes Patter ere im Ly 6 0 & 
: i i bet id ee cet et el ee hoe ry ae ie ee on ee he ee Lae te ‘> “1aet¥ gl tetas” at ad ld oak dE ee BB S en Ree apy ae bl egiigdasess in 
i 7 ; i tee ae ° en ph ast Ad s aR Para - ee ae Py PTO Le ae ta) Lea Pap ae ch Cae Le hoe cS Ap Piet ved ae epee roid pe glel pte cas Pie nae eet G91 
7a pie Seon ei. °° Shee PES ar roe irae Ph Oe APH a a HOR © Pe * oFerye Pras et) eh’ stare bey COL, Saal hte ed signee Fe ep egted Protea coe aac Sis Ch ripe mee Goes. Tesch 
aa) ar eee DU CEOs ONnt eae ot ee DOES Ads rate Per Crore Bee os REGS hee oe P as Le ee ee a ee et a el a ot ee ea Ps Spt Aapha tase Reged Geta altel 
. rar oe D F ee a aed Apcatcreak e Refi SAB thts Be Pern yr orm ome be P ee Ari oP Pe ae t ery Pade tal Pinte et le) tata eae tay al EPL ie Si Seer 
/ 7 i : a ‘ ma ni ¢ oe 7 i sa ee . ay 7 are ‘ £ 7 " Ftd Ae ll ee seat ree ¢ ne TT rar Le) 1 Shae ae aiteny ; M hee ny if CLL : ke sa sot gars Bete gall crak te pill ihrer titers opr —— 
; ig aa 4 : ae Ar oe ; + Ps P : * oer Ti Pear at eee OY did ick ph ai! PT at atl 
i ji " ar Sees 4 ‘. cera 4 on Usa oe . “Gl . opie eee, ee “eel aia G sa Ne PEC DLT eeu OI: Ere ra pil gee ty Seite ete pepe +e gL 6 Fusion 
5 A Pee irate aCe mote tO CN ini Ci ge, oe ae ft 5 ee ah De tet eit) oe ere tad ket ates wy - Le OTRAS Ct Rl Deo ie fel Pen Josten oe 
Par) Pee e a ‘ e PD er) ee sia ; oo orem 8 ® ae ls 9 te polit oi ted UCI <del Not Gaps) PPT Pt) Pay er wa ee te ey) fice lod aoe Prt Py re id, Healt al Eel od el £ artes «i Spi sah F 
P ose 5 Age oa * ak ; oe chin rir) a3 Oe eee ee kL ae ee Le a dd ‘alta! i Tan | [dekiebd A Mindedilank- Led hal nahin ae ia nate! ate pligeapalen pe, fel la 
‘ ot a) a P ou ; Pet ae Tee ht ot ad tid ee tlt eat a ar) Pik et LY of ae be pe all of al, tale) nF | PD ae i didel 1) alcimeeds aoa, ne a A ide ete ae 
ae ee hed a) vy ‘ as Cd a re 5 ‘ pad r PETS ott We th ako yey yer) pia ae A Pt a ed ee on a a TD od Ca al il came atl ae ate aol ot ee el te te 
‘ . a Cd a Ce ee ey a hd so? Pre a ae ee ee ee ee ee 2 rrr Pp: aA et te Ape seenereet cata ne [lll alae dl teeta hat Do Eaten pel ea tel deen ee 
Pa A Py ¢ ee eeree 6 ee yas = oa 2 rer os Tee LS se * Peer Ll al at a) ey reps» Ecsite de lade all ot ool tent ail ll ont ded a beet deekadanedh mom 
. ¢ ee Se 2 U a my e . ‘ Ce ee) car eae ae * u rene lel dle dee ae dal dl ak anteel del pak te deere a Leek hes del octet 
eer a On goed t or LA Sd dente est h inet detetglacete nen cate plete 
Oetmoer) a emer ‘ Pr ee | is ed S Si iH a e PLE MSE peed presente eo . dametathccinedteed ahd dacieiptaheh cepebtiet 
ae oe : : ‘ gl gh te etek ge et 
ous rote 
a 
Toe) Perr sts re 
brary 4 
ee eee 

























































































Ce all | ch Ce ee) td 
oe 4 8 é 7 ry “ereset a. 
os +) 1 add © ra ¢ wh o 
ad . Py r] i) ef i re t Cf 
* ty é an Ce ca a | ‘ 
- - i B ein F a aed : ye LT Lk} oye Fidel Ait tl at reiabenareh 
® 7 . . @ i a Ce ad PNY Te cee Yee, ate} ee Seer a MATL be? LI] r oy Bers Sr Ee 
Ld td er) Ps e Ce rd ee ee 2 ae he Lr i i a fe a meee rt oe ae snes Ka? os Se iad PF, ope al Fae g , apy fino fi lag 
bd oT o . a . ' A ego eetete Pn ed ak ol LA oP ae ee Lee ed oe | Pl eh eo eee ae ay oe Fok) a ofl heel ek Aeaeed dole ae a ol tates el eel el oe oe 
‘ A i . is mee re ee iy ae Pr ry x: ie a ry stants At ane pts F Hier eae Per Pi PP ie Yt ghee et pte. me ee at Cah Faget peg ee rs i retcAghelelet fetal cache ecelenneeneer Wier tee Cy resect, ¢ famaee ee Seacrest 
* Cs Pad @e a ra et st ene Ce ee ee Ch oe ee ee ee ee er war a eureten Pe ature tte Te eet eT pes FE ome ds ply upland agp ed peg get 1) jong pmareh chia ome ppp pegs ms yoo tof 
° a ‘ ra Cee een ener ie Pa) e Py eee ae ee Pi ea) a ee a ee a ee ere ee oe ee ae eZ ap ge gt ot F Pe ee ee eed | alge Po ee CL ahplephetll sitgh gt cpabetil wee’ path shee Cmte of rere 
® e oa A a a i oe) or Or a er ee ee ee Fat a te ef Pree rons Pe rie a eee dt ae be bea Ce Oe | eat PEL oN ae et De del Cee eel tee el told apa a atop 
Lt) a * Ae . Tr Ce ae ee Ce Ta Tee i i hr er ti ier 6 ieee Le av ie oy a ch hay he hy? at ak el a ed | ves os 22 aby Tedd Le oe ell ae ee abdal kia dl Lk ol ol ahs eel ak he ate J etl led ot ol ees SB bh e a 2 
° ‘ “ * ° ae Par ey re Re, Te eT ar TT La oe ers rr a LT AE Ia ch a le Sk i4 sa gee Pee ee ee ar Perry Pra eaten Seat tle ata phi flier nah wb aorteteets SCT cs py ound Lepmtieg 
° Pere Ps ra Cn Sen? er 20) rer) PPD Lae ee ot We a Gt on De Ds Le ae Pat ie ae eg D Ik ae Pe bet ceil FNL hd ool td eI TIP atte aL aL tt Sees ested alpha tates? 
< ?} i a i ore ao - a el ie Ce ae be ie hae ee Le et "7 OO eRe osgiiptas pw " y LS sot 
p cid fe Py * oh ry ett Phase Fi ras , ae ‘A et : Oe AOE Pere Ph Medes Aa ve ae e RE, he i 4a On Ae rn Sere aro is ft foe WOOF PAE OS ge £8 ig pe a rg FF trot Lh itiedar sh A Meir perils Re inf A Ea h se 


” 
wr : 7 Fat ee At pyege gees Benepe ee ov at plage Te ane Aad Adi cael aed toe! tal Led delta ale alone Anal 
A mae er ie Aro ict Ce TO os he wo tt ot ee cee EAI ieee rah bid Deira Mit ot be ER tet see rae et fe eet pair yeti et e b-phaplespeneeeed garded Sere et 


: i i eae 7 Lcd i - ; come ay if Dias sanvansan ee as oes Pe ed Ad ree Py ie ee ty hag Sk td Ae bed lt a ele deel i a Cee LE Le et lad La adatde audit atenel ot noel 
= “ 5 S c 
* O . rn Bee ‘ ae at me re a m7 aoa oe a agedy Fy “4 TSA Y hd ed ae Dad Re | ver Tdeambetelles oF Pe rr aT te oy Mee I Ue tea od a a Lien od 2) a Ol ol ce ot, seabed hace om chads ot ot oft aed ae a 


: i a oh +p Be CA deh LD ld i al A ee Sel Ma De oh ok ee te hel ated tt aed. Te lal eth id aad pt jk dott a BRE, rae, 
a = - , . aut a i ae ee ra ” : Ont ar) Ha Pe re bl ‘ ee sd Lah UP big) io pee pe OO oe a hy sags or Cite hats LD on eae Peat) elas Oe ek Rk ae alana a a al tal hate ctalitah oak del 
: s te a poe . Lease lel gtette OO de ek jbl ag elf a apa Sas agg | pent eetahdialesteh on de ed 






ms ga gh ea' yk alata el et ed a male tte 
L eialted died dlieel ine ead kbd ee ree Sd deta she al ade aed 

ae a SD a ek al ol Ded ok nett dat ad eal al a el hl hata aad 

Pee eerie Det tt eee bed Dee oT or) ain in Ooh faa 
ae add el ee a al ol ae dah ak a cael alae laden ice ei el alll ed 


rhe Le ee ie 
Otet zie ing ® YP fat hy 
Cr ee ee ee 















weee gens verge Pd ee LT Ll ae al de 





oht 400 Bo 













Pee 






































Cele st o eye sos 
Ee Ae hee ee ot tl 























s = F a ye cic Pr ee er ae batt ee ce BA o gh gi f Bd pas ge deal ices pe 
’ a . i a ee ee er ae ee eT a Yo 3 i aie ies Pe tae ed Pah ee) Pa hip cath y prery aero face agate ot eee eT ae a ren eerie 
; ‘Ki reat Hf De Rl ak de a oe dak aa Ol lt al el a od el * 
pee Oar ey osasten ie of ses Re ee rad tent aa dda alent ok ee ee nan 
° Oe , Paeaieh ete etal Peres Oe aad ed eee ne ee ta 
Dts te a vee LP Ae oP dys Pure eee POO tae St Series omen er eat pa pala adh Go ahr cl dh eel eet aan a 
‘ p ‘ e ate or Ae Fe oh rene AW pen ts Me tha 6 I Af in. 0 wnekge ae “ bad pli Fine hia kl Ai Ae eps an St i 
. o . 04 to Pl e ehh) eer peenpeas x a i ae 
P . ee . a IC ec A . AB SO eee Be Oc ° Ate bs RO eres eer rr ee ye ee ye rE PPP ys Pe I eid hat Lp Ste htegl arbi plat Pps ary pegind aclgi-fege Dpedinbe and 
r s 7p at ? Phd ok c ' ery re, Mer ee ee ie ee ee oe el PY Wael) oo bees Per | ode OirtC me SP eae te et ee ee ee Ce ll ah ald ee OE oat at Bd Afi tint Alte PPR penta fis = 
: a aa PR Ta PR NAIR PERLE TOP oAM CCELi PITTS PIT aI MCD NUNIT erate petted oa Se etre La ar PA at te prem faa wernt nt 
. U Lh a ee an deed Chee et Was Tag! ms elee rend feline iy yi ee atl os = 3 
Re EAA AM PRR PILE SUT Ahh SORA AiR Reign Tih SRR ys tape ttre rpun uate coe bo ATE es ie 
e r ‘ na ) PC aren Pe er iy eee Oe pr, YM elt ee ees CL as eet Co tn et Ch rr eg syaate Bs iy tat art ttt) Oy a ah Df el oe Lt ek ot at Fig chs af Ol 
. P wat aA] Ch Lr Let aT PEL UTP GEL tr a a a2) ae OY of ae tl he Oe lel ek ae a al tar) a 
i) J i . ‘ fe t An a eae ve 1 Al MA si 4 Saeed Os de : aes Pea Renney ret List elie aye ES aa fie CL od pi Leber BAA er Pa tt ok Ae ee Rete et oP ikke tcp sa —— 
‘ aes YW ineen) ans rere Pen Trin erie Peis fer TTS Me TT mer Ae ae Rete moras he eT eee are Re rt rere ectT Ditties tpttatettoactant theta ge 
- i - - : ® e Phiri Teta et ar SUC eserae'a ye ye ee oe oe oT tel at oh ie bel Cl cat el Ll ee oh eee a ed add 
O i i cary 7 = : or perth a ae ened ar ogee ed ete Let ed i a ho i) Ae Lhe BOWS BRIG ao WER ee: PDN OOM TIS ede BT ws eV OUt? OF Fal fad pik pa abdn pablo ade Ltt ee) 
é en ee : re t - Me ee oe ee Ls ee oe he fede aT ee th hte Le LL oe Desh oweuews gaig! ymirevs canes SAMOA M ST bale el oA ashes te Le ReahetaRon aoh a Or eee al al ae tla al cee all mele ed il 
st af 2 ar rN Tia err TL ary err) oe Te aU s tia Peery TTL ee IN LY Lay he We ty mk ok Td te ot Lt Le cl och eel d i Bln sha died bd lt aitched wad ati boh ds odemit od Die fag din rah epee $f eon ae 
aL ree ita Tee eel) rr - shoe ed ol al TR Ce Me ee ek Ee Di Le Dl cabal ad Lh et ele A hed aph dipselail- Lahde inlet hchah dal ae aottel 
aL rad ot see Tet Bre diet. Pw fatal Wt ae Me ok th a) ait de Se LP Oe ae ee hk oe el he al Tk adel a lah diet ante being Gh lithn gh dat pak etame all 
ng y rete err are Melt eet Len) Li Lo Lie al Te i ake Lhe le bbe stn tes aod ad’ da bk ah Ix of ahd he hl ene oe a dll ene wee eamennal aed 
Y Pe ee ay ee ee he oe me erie eo I ded SOR LT he tc alc thal ted dos gh is io Cite ach deh leak ol endeiehiaibiedine die tee 
el Ce Tee act Cor al ee a 097? tg Fae Ive IDs WW Os see Ty Ny Ge De aah eR La a ea he aed el se el 
ee $ Pal Af Coe Hell fe Worse yeaa Dik che ee eo Pe ede g Ue ee ae ee Seat ek ttt af aerate site eee 
Anite bd pe 










































































D ‘ Dat fyTwer Pe Wise se we Ul ce eie Ca te ere er til Site ee a tal fe en ee oe et ete ed 
a pa Conn is Hier Fe Sirs ena rer et pipet aie Becht Lhe i te tank dl da elk tale dah lela ed a? hdk Ae Ald tel oh tel a ah dial 
“2 ee Le Atl) Tiel ebb eek MM ee er etal bee ota Te tT Ld inl pooh poet a fold td 2 tomagpedit tna pal Sana 
i ce ee ad tee Bt pawesy Law ial | Te de Sse Dak alae donde hh dade ie ol ih all do Li dag phate deat nt oapal | i iedanctatenyn teh Aaa bi Bag 
rice = fn Al) 4 Pn ee ee is ea i ee STL yee ht) rp Se ba th be et ee ee a Po alas to ak Ed ee a ad 
. * bs | iy te ae er Le a ie 7 UW - 
yi PP OPE) UG SRR en TI) Mer Ate orton ly. Tatty atest 
7 Pr } tn ty Pa ok 1 LS eed vies tb : y 
o 7 ju jas Me es Ef aren ie ‘ te a eee ae are a re ete me seers Tatiana aa eels intl ad cae ny Rie Let Beppo padi oto Se pease ere epontfete Pen ae 
Ls i e+e G SO ene Ce he es 2 CI eo Ch ROU See ES a hbo oye ‘ PUT sah ual he ni Ot hate Doe Ae dh Pode nd he hoe et aoe hago too ap phe le i Pete oan 
5 =a - eet 4 ry ie ere eerie eerie nL Od rian kebab er Ua aes Prot 
y * ders Ss ae OF PP Pa PPA Pier bh hee Sco Ot ee Bt tiie perenne ete Mtapiry sca ieg sore paet ote aah ed pects Gaatit ed ete tre ee 
: cs ae - i a ea re eee Seer eRe Tai tia eae Tier POTTED RAST Pe eS AL ote Piro tdi a tare ener) i respeictac hese seat bitin ooh 
ee a) Py e atte ar gr ae , ) Vt ee Oe ie Le ee ee ee Pa Tar La ie ee LA Poa 6} vk eyes FY ot Pl gg Ta he ke tel heed oh dre Ia pe 
Fi bd C ’ Pan Per Py , ee ee eri; ae Oe ey ee Pe at a es et he tet th Uh Re) oe ec De ty ah sie oo Bekele 
A a " 5 ay ey Pie Jo el ma i ee ee Oe Me co na Orr rr ews os Lk Si ak Di De Be de het hh id Atel ia Lol talbie Rewteue Lei ah eae rs Pepe i Pr te el Dit ere 
ra ae, cred 2 op + Me ecw en eee eo We pa MA A a ea Heats ma at ey adit rete pit ppl ders p i | Km} dh mehdag chad ab oh Pcl dh depts ps radete ine 
be 3 . a oo 0 oe Pe TACT LI TIT ATT LE ee Ste tee eda TU tk ee ol Bat be oh Ltn pesca Mii asec 
af Pe A, A EO A aA AAUP aad nr hyd (hg dl Nae bon Pitretan’ ef bea ik tbe Tt tht od 2 al Pe) ok te ek a Leelee mel eT ete el 








4 

u 
be be ae , hel 
afer P 














cd 
* 














ten aad 

Kd teh oh i Pad A he Be ec eahs lahat ch ds hike ch be id Die prretattborl scat teal Selita tonne 
a eke ele Dt oh ceakal hold ied as di L) ok dol thie tel Mens heed beste anh ambetideh 

tang FO Pe peg a ote Sap Fe Ol Pe 1ltys aor ig iee? 7 a SF FEY weEeT 




























NAVAL POSTGRADUATE SCHOOL 


Monterey, California 


COGNITIVE PASSWORDS: 
THE KEY FOR@BPFECTIVE ACCESS CONTROL 


by 


JOHN DOUGLAS HULSEY 


SEPTEMBER 1989 





Thesis Advisor: Moshe Zviran 


Approved for public release; distribution is unlimited. 








REPORT DOCUMENTATION PAGE } 7 


EPORT SECUAINY CLASS iL a Oly ToD RESTRICTIVE MARKINGS 3 woe gor 
WaCLASSIFIED 

SECURITY CLASS ICATION AQ TRORITY 3 DISTRIBUTION, AVAILABILITY OF REPORT 

: Approved for public release: 

DECLASSIFICATION OOwNGRAD.NG SCHEDULE HVstribution is unlimited. 


ERFORMING ORGANIC aTION REFORT NUMBERS, 5S MONITORING ORGANIZATION REPORT NUMBER(S, 


NAME OF PERFORMING ORGANIZATION 
Naval Postgraduate Pie Oe 


School B16 7 Nawed Postesraduate Schoo 
QODRESS (City, State, and ZIP Coge) 70 ADDRESS (City, State, and ZIP Code) 


65 






Office SYMBO.: 






7a NAME OF MONITORING ORGANIZATION 





Monterey, CA 93943-5000 Monterey, CA 93943-5000 















NAME OF FUNDING SPONSORING 
MaGaie: aTiO' 


8c 





OFlics SYMBOL 
(if epplicabie) 


9 PROCUREMENT INSTRUMENT IDENTIFICATION NUMBER 


ADDFESS (City State ang Zif Code) 





10) 


SOURT: OF PU NOMS eT thee Fs. 


PROGRAN. PROJECT TASK 
ELENENT NO NO NO 






ADGr UNIT 
ACCESSION HO 





Trice ENcituoe Security Classificatron, 


Seo PPE PASSWORDS: THE KEY POR EFFECTIVE ACCESS CONTROL 


Bers Ofc. 67 H0)?"5 


-_ 


—— romn U. 





Mee OF FEFID=" 14 DATE OF RESORT (Year. Month, Dey) $15 PAGE COUNT 
. Thesis september, 1989 110 
MeersiN EG =- OTA 


epproved fer public release; distribution is umlimited. 


| rin” Om 






VE SLELECT TERS (Continue on reverse if necessary and identify Oy Block number) 
ie Gon: .ieeee 3. C 5 

Eas ae COommumer Seeurttys Access Control; Passwords; 
Cognitive Passwords 





BESTPECT 'Continue om reverse tf necessary and soentity by biock number) 

| eer cGe se. e€ —€ COmmorn!, used methoc of eccess control for computer 
vstems. Traditional passwords have been found to be inadequate. Passwords are 
eneratec from two sources: users and computer systems. User-selected 

aesswords are easy to remember, but they might be easily guessed and therefore 
ijeld @ lower degree of security. Syvstem-generated passwords usually offer a 
Beher degree of security, but they are hard to remember and therefore meet 
~momeuSer becistance. Bbecatse of this user resistance, password systems 
me cither circumvented or not used. 4A solution to this tradeoff between 
Memporability enc security is a security mechanism that is edsilvy remembered, 
meer friendly, hard to guess and yields a high degree of security. Cognitive 
mysswords offer these advantages. They are based on a series of predetermined 
Meee 10NS witt answers known normally only by a specific user. Research into 

Mm underlving theory, types of applicable questions and implementation of a 
Mmecotvpe svster is conductec. 





pee. Gee be | 7 UR LES RS eee Cy Sieupe iis OS S15 14 110), 
y air 2 ee . Beek os eee faa 2a) 97818 te aes ee pea eat = . . 4 
ee ter cs 5, uno ee 2 2: C2 Sue Mec lasciti1ec 
Beton" ieee ys ee ee Eee timciuge Gree vod!) |.<cc OF Uf oY reo. 
a ge he ‘ a 1s 
meron, .oshe (406 )64 A fia 6 | 547\ 
Mee Ost 1475,--°.. Phan F giniae! ace Te le C: 2°: eee AC: 
ae t — ea:é ° ae ———— a 








TDi wee or 9 2 ry 2¢ 
hs Y ‘ 


Approved for public release; distribution is unlimited. 


COGNITIVE PASSWORDS: THE KEY FOR EFFECTIVE ACCESS CONTROL 
by 


John D. Hulsey 
Lieutenant, United States Naval Reserve 
B.B.A., Georgia State University, 1975 


Submitted in partial fulfillment 
of the requirements for the degree of 


MASTER OF SCIENCE IN INFORMATION SYSTEMS 
from the 


NAVAL POSTGRADUATE SCHOOL 
DEP TEMBER ee 


n o—~/ 


ABSTRACT 


Passwords are a commonly used method of access control for computer 
systems. Traditional passwords have been found to be inadequate. Passwords are 
generated from two sources: users and computer systems. User-selected passwords are 
easy to remember, but they might be easily guessed and therefore yield a lower degree 
of security. System-generated passwords usually offer a higher degree of security, but 
they are hard to remember and therefore meet with high user resistance. Because of 
this user resistance, password systems are either circumvented or not used. A solution 
to this tradeoff between memorability and security is a security mechanism that 1s 
easily remembered, user friendly, hard to guess and yields a high degree of security. 
Cognitive passwords offer these advantages. They are based on a series of 
predetermined questions with answers known normally only by a specific user. 
Research into the underlying theory, types of applicable questions and implementation 


of a prototype system is conducted. 


1] 


TABLE OF CONTENTS 


I INTRODUCHION® =" ae 1 
ie COMPUTER SECURITY: AN OVERVIEW .................. 4 
Ii]. PASSWORDS AS A SECURITY MECHANISM ............... 16 
IV’. NEW APPROACHES TO PASSWORDS .................... 38 
Ne RESEARCH METHODOLOGY .......................... SO 
wl. DATASANAIYSIS ... cg, <2. (150... 56 
VU. IMPLEMENTATION <7) e 74 
Vill. CONCLUSIONS AND RECOMMENDATIONS ................ 90 
PSTSIRIS ON 3 1S 96 
LIST OF (RERER ENG Eee a eae re 103 


te} by ft 


I. INTRODUCTION 


A. THE NEED TO PROTECT COMPUTER RESOURCES 

Concems of privacy, proprietary interests, administrative confidentiality and, in 
the military, national security are considerations in the development of computer 
security systems. (Barton, et al., 1984) 

Computer resources are vulnerable to compromise and attack for four reasons: 


1. hardware may contain capabilities not originally designed, 


No 


an operating system may contain errors or capabilities that allow a user to 
deceive or circumvent a security system, 


3. a security mechanism may contain errors or capabilities that can be exploited 
or circumvented, 


4. poor password systems may lead to guessing of passwords by system intruders. 
(Kaiser, 1987) 


The penalties for inadequate computer security are severe. Consequences of 
intrusion may include alteration, disclosure or loss of data of an entire system. 
Statistical evidence indicates that most unauthorized access attempts go unnoticed. One 
out of 100 computer crimes is detected. Of those crimes detected, one out of 22,000 
is prosecuted. Of the computer crimes prosecuted, one out of thirty three leads to a 
conviction. (Hagopian, 1987) 

Computer security ranges from phvsical security of buildings housing computer 
facilities to authentication of persons attempting to use specific application programs. 


The National Computer Security Center (NCSC), charged with the responsibility of 


designing computer security systems for the United States government, equates security 
with trustworthiness (Kaiser, 1987). The NCSC defines trustworthiness as having four 
characteristics: 

1. a secunty mechanism is fully integrated into the fiber of a computer system; 

2. a system is robust, well-behaved and understandable; 

3. a security mechanism is software-managed and hardware-enforced; 


4. any change to an access permissions matmx is immediately enforced. 
(Kaiser, 1987) 


The development of networks created the capability to communicate remotely with 
other computers. Physical restrictions no longer were adequate. Additional security 
mechanisms were needed to ensure the availability of widely dispersed systems while 
at the same time ensuring that only authorized people could gain access. Physical 
boundaries were replaced by electronic boundaries. A secondary security mechanism, 
passwords, came to the forefront. Passwords were thought to be inexpensive, easy to 
use and provide a level of assurance that the user was indeed authorized to use a 
computer system. Through the years, passwords were found to be lacking. Passwords 
that yielded a high degree of security were found to be hard to remember. Conversely, 
passwords that were easy to remember were found to yield a low degree of security 
(Barton, et al.,1984). 

A continuing search for a better password system has led to the development of 
cognitive passwords. This thesis focuses on the feasibility, advantages, disadvantages 


and problems inherent in the use of cognitive passwords as a security mechanism. 


to 


After investigating the characteristics of the cognitive password approach and comparing 
them to the characteristics of the traditional password approach, a prototype will be 
developed to test and demonstrate the concepts and knowledge resulting from this 


investigation. 


"y) 


Il. COMPUTER SECURITY: AN OVERVIEW 


A. BACKGROUND 
1. Computer Security: Definition 
Computer security is a comprehensive strategy to protect and safeguard 

resources (Wood, 1983). Protective measures take the following sequence: 

1. protect terminal locations; 

2. limit the users that can activate a terminal through use of terminal keys; 

3. use passwords to contro] user access; 

4. use passwords to limit access to data resources; 


5. require additional passwords for specific resources, such as programs and 
databases; 


6. provide extra protection for sensitive data through encryption 
(Ahituv, et al., 1987). 


Computer-based information systems are comprised of six major categories 
of resources: hardware, software, communication facilities, data, information and people. 
Each of these resources, either singularly or in combination, may be vulnerable 
themselves or be the means by which compromise is achieved. 

Two general approaches may be used in developing a security system: all 


resources are protected or non resources are protected unless of a critical nature 


(Wood, 1983). Some information managers emphasize the value of computer hardware 
rather than the value of the information stored in the system (Wood, 1983). 
2. Protection Versus Accessibility 

At one extreme, a secunty system might limit access to only one or two 
people. However, the benefit of information availability organization-wide would be 
lost. The net result would be a secure but useless system. At the other extreme, if 
no protection is afforded, accessibility would be high but system security would be 
lost. Computer security must be balanced between protection and accessibility. Figure 


2-1 illustrates this tradeoff. 


PROTECTION 


HIGH 
AC UBO Senin 





FIGURE 2-1 
PROTECTION ACCESSIBILITY TRADEOFF 


yn 


ao additional considerations of the protection versus accessibility tradeoff 
are cost and effect on the organization. As the degree of security rises, the complexity 
of protection increases, adding to costs. The cost of a secure system must be evaluated 
against the importance of the computer resource that is being protected. If the loss of 
a computer system could threaten the survivability of an organization, more funds are 
likely to be spent to protect the system. If, on the other hand, the loss of a system 
would have minimal effect, an organization may elect to implement only basic security 
measures. 

The impact of the security system on an organization’s personnel will also 
be important to an organization. Paans and Herschberg (1987) draw a correlation 
between security and the happiness of personnel. They indicate that implementation 
of security measures is viewed as the withdrawal of privileges and may even lead to 
potential sabotage. People can no longer enter certain areas without permission. In 
addition, they can not browse through databases unless they are specifically authorized 
access. Hagopian (1987) identifies four ways in which computer security will affect an 
organization: 


1. additional job responsibilities are assigned causing possible organizational 
friction; 


2. the security system makes sign-on more difficult; 
3. access to resources are restricted; 


4. the choice of which terminal to use will he reduced. 


3. Types of Risk Exposure 

Exposure represents possible loss or harm. Vulnerability is a weakness that 
might be exploited (Pfleeger, 1989). Types of exposures and vulnerabilities fall into 
Six categories: 

1. accidental disclosure 

2. intentional disclosure 

3. accidental modification 

4. intentional modification 

5. accidental destruction 

6. intentional destruction (Fisher, 1984). 

Disclosure, the sharing of information; modification, the changing of 
information and destruction, the elimination of information, require special control 
measures. Through security control measures, the exposures or vulnerabilities can be 
prevented, detected and corrected (Fisher, 1984). Pfleeger (1989) categorizes 
vulnerabilities into four threats: 


1. interruption, an asset becomes lost, unavailable or unusable; 


fo 


interception, an unauthorized party gains access; 


modification, someone tampers with an asset; 


td 


4. fabrication, creation of spurious transactions. 


4, CAUSES OF EXPOSURES 
Fisher (1984) states six major causes of exposure: people, hardware, 
software, communications, procedures and acts of God. 
a. People 
Through curiosity or malicious intent, people are a major cause of 
exposure. 
b. Hardware 
Hardware-related exposures may be caused by inadequate or incorrect 
microcoding causing a legitimate request for information to yield an unauthonzed set 
of information. 
C. Software 
The use of software to reveal information is probably the second 
major cause of exposures. During software development, a common practice 1s to 
implement specific ways for a developer to quickly gain access to certain segments of 
a program. These quick-entry mechanisms or "back doors’ may not be completely 
eliminated before a program is released to users, allowing intruders to gain access to 
and modify original code. 
d. Communications 
With the proliferation of personal computers and their ability to 
communicate with other computer svstems from anywhere in the world, the complexity 
of communications security 1s a significant problem. No longer can a security manager 


confidently establish boundaries around a system. Any person with a personal 


computer, a modem, a communications package and some knowledge of an authorized 
password can gain access to a system. 
é. Procedures 
Procedures that have been poorly thought out can have detrimental 
effects. A payroll department procedure that allows the same employee to enter 
personnel into the payroll system and to authorize payroll checks may result in checks 
being issued to nonexistent personnel. 
ie Acts of God 
Acts of God include natural disasters such as floods, hurricanes or 
fires and can result in the loss of facilities and data. Backup and recovery procedures 
plus establishment of a geographically separated secondary facility can alleviate these 
possibilities. 
ay SUMMARY 
Figure 2-2 summarizes the relationships between causes and types of 


exposures and computer-based vulnerable resources. 


mee 
HARDWARE 
SOFTWARE 
APPLICATIONS 
COMMUNICATIONS 


VULNERABLE RESOURCES 


COMPUTER SECURITY 


CONSIDERATIONS 


CADE o OF Trees or 
EXPOSURE EXPOSURE 





FIGURE 2-2 


B. METHODS OF DEFENSE 

Protection of computer-based information systems may be thought of as a layered 
approach. Each layer uses a different methodology to address the problems unique to 
that particular layer. The synergism of multiple layers may create a security system 


that protects its resources. 


10 


r Types of Defenses 
Hsiao, Kerr and Madnick (1979) delineate five types of defenses: operational 
security, physical security, hardware security, cryptographic transformations and 
operating system security. 
a. Operational Security 

The broad category of operational security encompasses two major 
areas: operating environment and authorization control (Hsiao, et al., 1979). 

(1) Operating Environment. An operating environment is defined 
in terms of the degree of access allowed to a computer system. Three possibilities 
exist: closed, open or unlimited (Hsiao, et al., 1979). In a closed system only a few 
users have access. In an open system, any person can gain access by identifying 
himself or herself personally to another person authorized to grant access. In an 
unlimited environment, any person can gain access with little effort. 

(2) Authorization Control. Authority to grant access to a system 
can be divided into three categories: centralized, hierarchial decentralized and individual 
(Hsiao, et al., 1979). Under centralized control, a person or department controls who 
is granted authorization. In hierarchial decentralization, functional managers have the 
power to grant access for specific areas under their control. The complete 
decentralization of contro] results in individual control: an owner of information is 


responsible to control access to it. 


1] 


Authorization control or authentication can take many forms 
from passwords to the confirmation of biological traits. Various types of authorization 
control are discussed later in this paper. 

b. Physical Security 
Physical security encompasses acts of God, man-made disasters and 
intrusion (Hsiao, et al., 1979). Acts of God, such as fires and floods, may be 
controlled by installation of sensors and automatic suppressant systems such as a 
HALON 1211 fire fighting system. Man-made disasters or equipment failures such as 
a disk head crash can be minimized through a backup and recovery system. Intrusion, 
either intentional or unintentional, is a primary concem of physical security. Prior to 
the proliferation of network communications systems, avoiding intrusion meant keeping 
a person from physically entering a computer facility. With the current ability to 
access a computer through remote terminals, physical security must now be concerned 
with preventing access through communications media. Cipher locks, identification 
cards and door monitors are examples of tools used for physical security. 
C. Hardware Security 
Closely related to the design of hardware is the design of the 
hardware security system. Various hardware components require protection from both 
the user and computer applications or processes desiring to use the hardware resources. 
Examples of tools used are special microchips called registers and operating system 


software. 


d. Cryptographic Transformations 
A different approach to security is the encoding of user access 
information. The underlying assumption is that intruders will be able to gain access. 
Rather than try to prevent access, emphasis is placed on encrypting or scrambling the 
data making it unusable by outsiders (Hsiao, et al., 1979). Data that can not be 
interpreted are of little value. Tools commonly used are encryption and decryption 
algorithms. 
é. Operating System Security 
An operating system 1s the master program that controls the execution 
of all other processes and stays resident in main memory. Prior to the running of an 
application program, an operating system must be executed. An operating system acts 
as the mediator between competing processes and allocates resources based on 
demands. Gaining access to an operating system can lead to access of other programs. 
Advanced operating systems, such as UNIX, contain security components that can be 


activated. 


CaDErENSEW TOOLS 
The two major defense tools used in computer security are encryption and 


authentication (Wood, 1983). 


1. Encryption 

Encryption is accomplished hy three methods: encrypting a password tahle 
stored in memory, using one-way encrypted passwords and using a personal key device 
that contains an encrypted code after the plain text password has been entered 
(Ahituv, et al., 1987). Encryption raises the effort required to break the code 
(Menkus, 1988). 

2. Authentication 

The most widely used defense tool is use of authentication methods. 
Identification by authentication is approached in two ways: use of natural properties, 
such as fingerprints, or use of artificial measures, such as passwords or magnetic cards 
(Ahituv, et al., 1987). Authentication methods use something known (a password), 
something possessed (a personal key), something to be performed (a signature) or some 
biological trait (a fingerprint) (Fisher, 1984). 

The underlying logic of authentication devices takes two forms: make 
computers more like people by equipping them with biometric readers or make people 
more like computers by equipping them with personal computerized authentication 
devices (Spender, 1987). Authentication devices take the form of biometrics, directly 
connected token reading devices (keyholes which accept electronic keys), user interface 
tokens (pocket devices that can generate one-time passwords) and fixed password 
devices (plastic cards that contain access codes read electronically) 


(Spender, 1987). 


14 


More common than authentication devices are passwords, a group of 
characters that identify a user. With this background in computer security, Chapter III 


explores the use of passwords as a security mechanism. 


Il. PASSWORDS AS A SECURITY MECHANISM 


A. DEFINITION 

The risk of granting access to an invalid user must be measured against the cost 
of designing, implementing and maintaining an adequate security system. 
Martin (1973) states that two types of errors may be possible: a false rejection in 
which the person is actually a valid user and a false acceptance in which access is 
granted to an imposter. 

Passwords consist of a sequence of letters, numbers, special symbols or control 


characters used to authenticate a user’s identity (Wood, 1983). 


B. WHY USE PASSWORDS? 

The use of passwords 1s the second oldest method of access control. In the early 
years of computer usage, the number of personnel authorized access was small. Each 
valid user was normally known to other users, and as such, an intruder could be easily 
identified. Prior to the development of networks and remote terminal capabilities, 
computer hardware was centrally located. Operators were the only users authorized 
access and they would have to be physically present in the computer room to 
communicate with the hardware. Password protection consisted of system passwords 


known to the group of operators. 


16 


The advent of networks and end-user computing brought computer resources out 
from under the centrally protected facility. A rudimentary password architecture became - 
the answer to the problem of protecting dispersed resources. 

Passwords offer the benefits of being relatively inexpensive, readily implementable 
and supported by most operating systems (Spender, 1987). A fourth benefit of 
adopting a password security system is familiarity. Passwords are a known 
methodology. They are viewed as a simple, friendly method to control access. 
Emphasis placed on ease of use may, unfortunately, hamper the degree of security 


provided. 


© TRADE@QHR: EASE OF USE VERSUS SECURITY 

Ease of use is defined as user-friendliness and flexibility (Wood, 1983). Some 
users have developed an attitude that it 1s their mght to use computer resources as they 
desire, commonly known as the hacker ethic. Concurrent with this attitude is a desire 
by users to avoid any restrictions on their ability to gain access at any tyme and 
anywhere. The current proliferation of local area networks has greatly enhanced this 
desire to gain access at the office, at home or on the road. The widespread availability 
of personal computers connected to central databases has resulted in organizations 
granting access to more users. Paans and Herschberg (1987) note that there 1s a lack 
of enthusiasm among the lower ranks for security as they feel controls tend to degrade 
their happiness. If password and sign-on procedures becomes difficult, users will find 


ways to circumvent it, thereby degrading security (Martin, 1973). 


The — of use versus security tradeoff is directly applicable to passwords. 
Passwords must strike a balance between ease of remembrance by a user and difficulty 
of guessing by outsiders. The longer the password, the more difficult it is to guess 
(Wood, 1983). Unfortunately, most users require aids to help their recall 
(Menkus, 1988). If a password is so long that a user must write it down, security has 
been degraded. If a user puts a password on paper, it changes from something known 
to something possessed. Knowledge of the hiding place of the paper with the password 
written on it becomes the password (Porter, 1982). Figure 3-1 illustrates the tradeoff 


between ease of use and Security. 


HIGH 


EA SEO Sis Smet lal 





FIGURE 3-1 
TRADEOFF: EASE OF USE VERSUS SECURITY 


D. OBJECTIVES OF PASSWORDS 

The objective of a password is to authenticate a user of computer resources 
(Wood, 1983). As the system authenticator, passwords are the first line of defense 
against unauthorized use of computer systems (Wood, 1983). 

Protection of personal privacy, proprietary interests, administrative confidentiality 
(Barton, et al., 1984) and, in the military, national security might be achieved through 
passwords. The privacy of personal information such as social security numbers is a 
concem in large databases. The development of proprietary interests such as processes 
stored in computers must be protected from industrial espionage. Confidential records 
such as payroll records must be protected from intruders trying to change pay rates or 
create phantom employee records for embezzlement. Unauthorized access into military 
databases could result in being unprepared for an attack. 

In achieving a level of protection from intruders, passwords can prevent, detect 
and deter (Wood, 1983). Passwords are the second layer of a computer security 
system. A determined intruder may not be deterred by a single layer of protection. 
Multilayered systems can make the time and effort necessary to break into the system 
SO expensive that intruders will feel it is not cost effective. Passwords are used in an 
attempt to raise the cost of penetrating a system to a level where an intruder is either 
prevented or deterred (Wood, 1983). Menkus (1988) recommends optimizing password 
performance by making compromise as difficult and time consuming as possible. 
Monitoring programs can be added to password systems that track attempted accesses 


and alert system personnel. 


E. TYPES OF PASSWORDS 

Passwords are categorized by two methods: generation and use. Generation 
methods include system, user and manufacturer. Use methods include primary, 
secondary and dynamic. 

1. System Generated Passwords 

The system generation of passwords is managed by a system security 
administrator (Menkus, 1988). The administrator’s responsibilities include selection of 
new passwords, distribution of passwords, monitoring to ensure proper use of passwords 
and disposition of expired passwords. System generated passwords are normally 
generated either through a random number generator or a nonsense String generator 
(Menkus, 1988). 

The advantage of system generated passwords is that the user is removed 
from the selection process. User generated passwords are normally connected with the 
user’s lifestyle and therefore are vulnerable to guessing by outsiders (Menkus, 1988). 
System generated passwords will normally contain random characters and are not 
related to a user’s lifestyle. 

Disadvantages of system generated passwords include difficulty in 
remembering, possible repetition of generation cycles, vulnerability of storage tables and 
the removal of the user from the selection process. Nonsensical strings of characters 
make guessing difficult, but also make remembrance by a user difficult. Complicated 


passwords tend ta he forgotten ar written down (Ahituv, et al. 1987). 


To combat this problem, some systems generate character strings that include 
vowels, making the strings more pronounceable and therefore memorable. The tradeoff 
in making system generated passwords pronounceable is that the passwords are more 
vulnerable (Kurzban, 1983). 

2. User Generated Passwords 

User selected passwords tend to be simple and composed of birthday dates, 
spouse's names, nicknames and other data connected with a user’s lifestyle 
(Menkus, 1988). In many cases, passwords can be found in personnel files. The 
Department of Defense forms teams of computer experts to test the integrity of security 
systems. These tiger teams routinely comb personnel files, for passwords based on 
personal data, with great success (Wood, 1983). 

User selected passwords have the advantage of being simple and meaningful. 
The disadvantage is that they are frequently based on trivial association and can be 
guessed by outsiders (Ahituv, et al., 1987). 

3. Manufacturer Generated Passwords 

Manufacturers typically embed or hard-code passwords into programs. These 
embedded passwords serve as example passwords and are published in system 
documentation (Wood, 1983). Example passwords are intended to be temporary until 
the user selects a replacement. If the user does not remove the example password, it 
may become a source of vulnerability. 

Another type of manufacturer's password ts that used by field representatives 


and technicians. These passwords typically take the form of "test" and “system” 


(Barton, et. al., 1984). They serve as a quick method by which technicians can gain 
access for maintenance and repairs. Knowledge of these passwords may allow 
unauthorized users to penetrate a security system. 
4. Classification by Use 

Passwords are also classified by their use: primary, secondary and dynamic. 
Pnmary passwords are used to gain access to an initial set of resources 
(Menkus, 1988). Secondary passwords are used as supplements to gain access to a 
subset of resources (Menkus, 1988). Dynamic use of passwords involves use of a 


different password at each log-in (Avame, 1988). 


FF. EXTENDED PASSWORDS (PASSPHRASES) 

Passwords, either system or user generated, share the problem of memorability. 
If users construct the password, it is easy to remember but unsecure (Wood, 1983). 
System generated passwords are secure but unpopular with users (Wood, 1983). The 
longer the password, the more secure it is (Menkus, 1988). However, the longer the 
password, the more complicated; users tend to forget long passwords or they write 
them down (Ahituv, et al., 1987). 

In order to take advantage of the best of both the system and user generation 
methods, extended passwords or passphrases were developed as a compromise 
(Wood, 1983). Passphrases are long passwords normally consisting of thirty to eighty 
characters (Porter. 1982). Menkus (1988) describes an extended password as an easily 


remembered but nonsensical three or four word phrase. Passphrases offer the advantage 


of allowing a user to select a password for himself. A passphrase is more likely to 
be meaningful and therefore easier for a user to remember (Porter, 1982). An . 
additional advantage of extended passwords is the added length of the password. 
Passwords should be long enough that they will yield at least one million possible 
combinations (Fisher, 1984). Using a minimum of 30 alphabetic characters, over one 
trillion combinations are possible. This foils at least one way used to determine 
someone’s password: trying all possible character combinations (Pfleeger, 1989). The 
sheer magnitude of the effort and time required by an intruder to perform an exhaustive 
search poses a high level of deterrence. 

Additional schemes may be employed in conjunction with passphrases. A thirty 
to eighty character passphrase can be put through a hashing algorithm. Hashing 
extracts a number of designated characters from an extended password. Extracted 
characters constitute an actual password that is stored in an access table. Hashing a 
passphrase reduces the amount of required memory storage and provides one-way 


encryption (Porter, 1982). 


G. CONSTRUCTION OF PASSWORDS 
The success of passwords as a security mechanism is related directly to good 
construction. Three criteria govern good construction: length, character set and 


memorabulty. 


os 


l. ent 

The longer the password, the more difficult it is to guess it and therefore 
the more secure it is (Wood, 1983). Passwords are commonly constructed of six to 
eight characters. This length is popular for two reasons: first, six to eight characters 
are sufficient to guard against a "brute-force" attack (Wood, 1983) and second, memory 
aids are commonly required for recall of passwords of more than eight characters 
(Menkus, 1988). The elimination of memory aids decreases the probability that 
passwords wul be committed to paper. 

The minimum length of a password determines the lower bound of security 
(Menkus, 1988). Fisher (1983) suggests that the minimum length should be a set of 
characters that would yield at least one million possible combinations. The following 
sets meet this minimum constraint: six decimal digits, e.g., 195863; five hexadecimal 
characters, e.g., 1D6FC; five alphabetic characters, e.g., AZHWO or four alphanumeric 
characters, e.g., HW39 (Fisher, 1984). A consideration in selecting a minimum length 
is that intruders will be attracted to trying all possible combinations; 1.e., an exhaustive 
or brute-force attack. In an exhaustive attack, an intruder will have to try no more 
than forty per cent of the possibilities to break a password (Menkus, 1988). A 
password composed of three numeric characters yields one thousand possibilities. A 
computer programmed to try each of the possible combinations will likely break the 
password in little time. Doubling the length will increase the effort required by orders 
of magnitude (Menkus, 1988). If three numerics were increased to six numerics. the 


combinations increase from one thousand to one million. 


De 


The design of the length of passwords should also consider whether a system 
will allow a user to constnict a password that is shorter than the maximum. For 
example, if a password is designed to be eight numeric characters, will a system allow 
a user to use only four characters? Most systems will enter trailing blanks in the 
unfilled spaces (Menkus, 1988). A common ploy is for the potential penetrator to 
concentrate on trailing blanks furst (Menkus, 1988). The elimination of the blanks will 
significantly reduced the total combinations that the intruder must attempt. By 
eliminating four trailing blanks, an intruder reduces the work factor from one hundred 
mulion to ten thousand possibilities. 

2. Character Set 

The set of characters coupled with the number of characters determines the 
effectiveness of passwords. The ideal password is composed of random characters, 
such as "k&)8[" (Barton, et al., 1984). While random characters are more secure, they 
are seldom pronounceable. When a password is pronounceable, users will be better 
able to remember it (Kurzban, 1983). The addition of vowels increases 
pronounceability. However, the resulting password wil be more vulnerable to attack 
(Kurzban, 1983). For example. if vowels are inserted into the string CTWLK, it 
becomes CATWALK. 

3. Memorability 

The ability to remember and recall passwords is of paramount importance 

iy their constniction. Most users require memory aids to help recall (Menkus, 1988). 


If a memory aid means wniting the password on paper, a basic tenet of password 


security has been violated. A password committed to paper has changed from 
something known to something possessed (Porter, 1984). An intruder’s work switches 
from guessing to searching. 

An appeal to long term memory has been divided into two classifications 
of memory: semantic and episodic. These two classes form the basis for three 
approaches to enhancing the memorability of passwords: semantic, episodic and 
environmental (Barton, et al., 1984). 

a. Semantic 

Semantic memory uses information closely related to language use. 
Passwords using this approach are derived from well-known character strings, such as 
nursery rhymes. Nursery rhymes and similar strings are easily recalled, thereby 
eliminating the need for memory aids. For example, "Jack and Jill went up the hill” 
is a well known line from a childhood poem. In addition, these character strings are 
not related to a user’s lifestyle. Once identified, the string can be used with a hashing 
routine or a transform procedure to produce a phoneme, word or phrase that is actually 
the password. 

b. Episodic 

Episodic memory relies directly on individual, personal experience. To 
a large degree, this experience will be unshared. Provided the user avoids the obvious 
references to experience, such as birthday dates and children’s names, this type of 
memory 1s recommended for password systems. Transform procedures can operate in 


conjunction with episodic memory to produce passwords. 


2G 


c. Environmental 

Environmental clues trigger the recall of passwords. A picture on the 
office wall or a room number can serve as the basis of a character string. If the user’s 
terminal is located in a room that is painted green, “green walls" could serve as the 
initial character string. If a user’s office is in room 821 at 1275 Sams Street, 8211275 
could serve as the environmental trigger for a password. This string could then be 
manipulated by a transform procedure to produce the actual password. In the above 
example of 8211275, a transform procedure could take the even digits of 822 and add 
that result back to the initial room number to come up with the final password; 1.e., 
822 plus 821 equals 1643. In this example, 1643 is the password triggered by the 

environmental clue of the room number 821. 

4. Transform Procedures 

Character strings produced by any of the three methods above can be 
coupled with transform procedures. A transform procedure manipulates a string to 
produce a user- recognizable and memorable password (Barton, et al., 1984). Effective 
transform procedures are evaluated on the following criteria: ability to achieve a high 
degree of congeniality; i.e., easy to remember and to execute; ability to produce 
structured passwords that can be recreated which helps error discovery and ability to 
produce passwords resistant to guessing and systematic trials. Common transform 
techniques are excerptinn and substitution. In excerption, a designated number of 


characters are excerpted based on their position within a string. The excerpted 


characters form the actual password. Substitution can also be used. Common 
substitution practices include the substitution of preceding or succeeding characters. 
The resulting string of substituted characters constitutes the password. 
(Barton, et al., 1984) 
5. Mnemonics 

Closely related to transform procedures are mnemonics. The phonetic 
sounding of a character string may yield an expression that 1s pronounceable and 
memorable (Barton, et al., 1984). For example, the character string FRGTFL could be 
phonetically sounded as FOR-GET-FUL. While FRGTFL is the password, the phrase 
FOR-GET-FUL is the mnemonic that causes the password to be memorable. Other 
ways of avoiding memory aids are: inverting the order of characters, converting 
alphabetic characters to their numeric equivalents, shifting characters one or two 
positions and creating acronyms from initial letters of a meaningful phrase 
(Menkus, 1988). 

6. Summary 

Good formulation produces passwords that are distanced enough in form 
from ordinary experience to make compromise unlikely (Barton, et al., 1984). Whether 
produced by semantic, episodic or environmental methodologies, passwords should be 
evaluated for effectiveness. Ahituv, Lapid and Neumann (1987) propose the following 
evaluation criteria: 

1. should be easily memorized. 


2. should be hard to guess through association, 


2. should he easy to enter into the computer, 

4. should not be able to be used if expired, 

5. should be resistant to attack by spoofing or trojan horses, 
6. should be tested, 

7. should not take a long time to implement and 


8. should not be cost prohibitive. 


H. PROBLEMS WITH PASSWORDS 

The use of passwords as a secunty mechanism is a much debated topic. 
Opinions on effectiveness range from criticism as offering little resistance to a serious 
attack (Avame, 1988) and their use is rarely well managed (Menkus, 1988) to praise 
as the most cost-effective approach to human user authentication (Wood, 1983). 
Menkus (1988) makes the comparison of a password to a conventional lock; it keeps 
out only honest people. 

Traditional passwords have three weaknesses: they can often be guessed, they are 
entered in the clear where they can be observed and they are used more than once 
(Avarne, 1988). These weaknesses are further supplemented by Ahituv, Lapid and 
Neumann (1987): passwords are normally stored in tables in an operating system which 
itself is subject to compromise and spoof routines. Spoof routines, explained below, can 


be used during a log-in procedure to capture passwords from an unsuspecting user. 


Pes 


Eight methods of finding out a password have been identified: guessing, reading, 
hash tables. eavesdropping, intercept, signal radiation, spoofing and terminal buffers 
(Avarme, 1988). 

1. Guessing 

Users commonly use names, telephone numbers and other trivial but 
memorable data as passwords. Guessing entails repeated trials based on a certain 
amount of knowledge. To prevent guessing, systems may be equipped with counter 
programs that allow only a certain number of unsuccessful attempts before freezing out 
a would-be user. Such systems can still be penetrated through the intruder attempting 
one less than the maximum allowable attempts each day until successful. 

2. Reading 

Passwords committed to paper are usually looked up just before a log-in. 
People nearby may see the location of a written password. Systems requiring frequent 
changes of passwords may increase the likelihood of users wnting them down. In 
addition, frequent changes in passwords may be circumvented by re-entering an 
identical password or alternating between two passwords. 

3. Hash Tables 

Hash tables may lead to a false sense of security. An itruder needs only 
to know a hashed result of a password. Any character string that yields the same 


hashed result wil suffice. 


30) 


4. Eavesdropping 
Most computer terminals do not echo a password back to the screen. 
Nonetheless, a person nearby may observe a sequence of keystrokes. Even listening 
to the number of keystrokes yields the length of a password. 
5. Intercept 
The proliferation of networks is a rich area for exploitation. Tapping into 
a line between a terminal and a host can give direct access to an intruder. 
6. Signal Radiation 
All electronic equipment, unless Tempest certified, emit radiomagnetic 
signals. These signals can be monitored and intercepted. Each keystroke emits a 
unique signal that can be correlated to give a direct interception of transmissions. 
7. Spoofing 
Penetrators develop programs that emulate terminal log-in procedures. A 
valid user enters a password not knowing that a spoof program ts receiving the data 
instead of the computer. At the end of a log-in procedure, the computer gives an error 
message. The user assumes that a error has been made in keying in the information 
and re-enters the password. On the second try, the log-in 1s successful. Unbeknownst 
to an authorized user, an intruder now has a valid password and can enter the system 


at will. 


3] 


8. Terminal Buffers 
Passwords are written into a buffer from which the security program can 
read the entry. If a buffer is of large size or if system usage is low, a password may 
stay resident in a buffer for an indefinite time. An intruder monitoring a buffer may 


be able to read its passwords that are still resident. 


b MYTHS ABOUT PASSWORDS 
Closely related to the problems associated with passwords are the unrealistic 
expectations of security provided by passwords. Of a list of twelve misconceptions 
about information processing security, four are relevant to passwords (Kurzban, 1983). 
I. Pronounceability 
Myth: If system generated passwords are pronounceable, users will remember 
them. The addition of vowels to nonsense strings may result in pronounceability, but 
they also make the password more vulnerable. Meaning acts as a natural memory aid. 
Kurzban recommends choosing passwords that are hard to guess, not hard to remember. 
2. Incorrect Passwords 
Myth: An incorrect password indicates an attempt to gain unauthorized 
access. Most incorrect passwords are from authorized users who have either forgotten 
or miskeyed. The owner has lost the password and tries to guess it through trial and 


error (Panns, et al., 1987). 


3. Revoking Rights 
Myth: Successive incorrect passwords indicate an unauthorized user and the 
rights of the password owner should be revoked. As in Myth 2, most incorrect 
passwords result from legitimate users. An intruder can sabotage a system by entering 
successive passwords that result in the valid user being frozen out of the system. 
Without actually breaking into the computer system, the potential intruder has 
significantly affected both the users and the system. 
4. Layered Passwords 
Myth: A different password for each resource layer enhances security. 
While a certain benefit may be gained from layered passwords, users resent multiple 


passwords and may seek revenge on the system. 


J. ADMINISTRATION OF PASSWORDS 

Password systems require maintenance. Akin to logical fences, passwords systems 
require periodic maintenance (Wood, 1983). In large systems, security may be 1n the 
hands of a full-tume security manager. In smaller systems, security is likely to be part 
of a system administrator's job. 

A security manager is responsible for maintaining and modifying a computer 
system's security. As well as duties related to passwords, a manager is responsible for 
physical security and disaster recovery. Monitoring a system for evidence of tampering 


and proper password use are a security manager's primary duties. 


38 


User education in security matters is also a concern of a security manager 
(Wood, 1983). Users have certain responsibilities when using the system and should 
be duly aware of the consequences of inappropriate actions (Panns, et al., 1987). 
Education will make users aware of how a password system can protect their 
information from unauthorized access. At the same time, educated users will be aware 
of how the design and protection of passwords can enhance overall system security. 
Help with developing passwords should be available on-line. Technical information 


about length, type of characters and ranges should be accessible to users 


(Barton, et al., 1984). 


kK. PASSWORD SYSTEM IMPLEMENTATION 
Wood (1983) asserts that a password security system is successful if it meets the 
following criteria: 


1. Passwords are not visible when typed. 


to 


An alarm is generated if successive log-in attempts exceed a specified threshold. 
3. A password storage table is encrypted and is not reversible. 
4. Passwords travelling over networks are encrypted. 


5. Provision 1s made for a special password to indicate a user is under duress and 
is being forced to log-in. 


6. Error messages are limited to a single message that does not indicate which step 
in the log-in process was wrong. 


7. A password rontine is segrecated fram the resource that it protects. 
8. Re-verification of a password is required if a session exceeds a specified time 


limit. 


34 


9. Automatic log-off occurs if no activity takes place after a prescribed time 
period. 


Successful implementation of system-generated passwords should include 
provisions for the secure distribution of passwords. Two common distribution methods 
are (1) conventional mail using double envelopes or specially designed envelopes that 
mask a password and (2) network transmission using encryption (Menkus, 1988). A 
user-selected password system eliminates the need for a password distribution system 
(Spender, 1987). 

A password security system requires the commitment of top management. 
Information is a strategic resource. Lost or damaged information may have costly 
implications for an organization. Historically, hardware was the major cost of a 
computer system. In recent information systems, software is the major expense. 
Management often uses hardware values instead of the value of the information to base 
their security decisions (Wood, 1983). 

Menkus (1988) identifies five ways to improve performance of a password 
security system: 

1. insist that an organization's policies are enforced, 

2. prohibit storing of passwords in tables to speed network connectivity, 

3. penalize deliberate disclosure of passwords no matter how good an excuse, 
4. require frequent password-changing and 


5. insist that passwords he actually changed. 


‘yd 
a 


L. PROTECTION OF PASSWORDS 

Successfully breaking a password may allow an unauthorized user total access to 
a computer system. In many systems, passwords are not only the first line of defense 
(Wood, 1983) they are the only line of defense. With the importance placed on 
passwords, security of passwords is a major concem. Passwords may be compromised 
by: 

1. trying all possibilities; 

2. trying all probable passwords; 

3. trying passwords likely for a user; 

4. searching for a system list of passwords; 
5. asking a user. (Pfleeger, 1989) 

Additional protection may be had through the use of encryption. Techniques 
include encryption of password tables stored in memory, use of one-tume encrypted 
passwords and use of personal keys that are inserted after a plain text password is 
entered (Ahituv, et al., 1987). One-way encryption increases the work needed to enter 
a system (Menkus, 1988). Encryption of password tables may be accomplished by the 
simple addition or subtraction of some constant (Menkus, 1988). Whichever encryption 
method is used, care should be given to ensure that an encryption process does not 


expose encryption techniques used for other resources (Ahituv, et al., 1987). 


36 


M. SUMMARY 

Passwords can be an inexpensive, effective means to system security. The 
tradeoff between memorability (ease of use) and security will affect a user’s 
environment. If a user’s environment 1s unfriendly, a user will find ways of 
overcoming the difficulty and in turn, may compromise system security (Martin, 1973). 
A hostile environment is caused by an emphasis on security at the expense of password 


memorability (Barton, et al., 1984). 


ra 
~~] 


IV. NEW APPROACHES TO PASSWORDS 


A. IS THERE A BETTER WAY? 

Traditional passwords have advantages and disadvantages. Inexpensive, readily 
implemented and supported by most operating systems (Spender, 1987) are the 
advantages of passwords. The need for memory aids and potentially hostile 
environments are among their disadvantages. Opinions about the effectiveness of 
passwords range from seeing them as useless against attack (Avarmne, 1988) to calling 
them the most cost-effective approach to human user authentication (Wood, 1983). 

Balanced between these views are the issues of memorability and security 
(Barton, et al., 1984). Smith (1987) recommends that systems be made easier to use 
and harder to misuse. The crux of the problem is to develop a fast, reliable 
identification process that will not hinder users or effective computer use (Smith, 1987). 

The perceived inability of traditional passwords to support adequate levels of 
security plus demands from users for a friendly environment have lead to several new 
approaches. Identity-authentication can be accomplished in four ways: 

1. something possessed (Porter, 1982), 
2. something characteristic of a user (Porter, 1982), 
3. something knawn (Porter, 1982), 


4. something the user can do (Spender, 1987). 


38 


1. Something Possessed 
Identification of users by possession of a physical object has gained 
popularity. The advent of banking system automatic teller machine systems has led 
millions of people to become familiar with physical tokens, such as bank authentication 
cards. Most automatic teller systems are coupled with a secondary identification 
process: a personal identification number must be keyed into the system to gain access. 
Authentication by something possessed coupled with something known (Wood, 1983) 
has been very successful. Identification by possession is not secure. Tokens can be 
lost, stolen or copied (Smith, 1987). 
2. Something Characteristic of a User 
Biometric authentication using natural properties of a user, such as 
fingerprints, is an emerging technology (Ahituv, et al., 1987). A drawback of 
biometrics is the requirement of special equipment to recognize and transmit the 
property. Two methods of breaking the biometric system are (1) faking the pattern that 
corresponds to the digital representation of the trait or occurrence and (2) modifying 
the table that stores the trait representations (Ahituv, et al., 1987). 
3. Something Known 
Passwords, something known, even with the previously described faults, are 
an economical, viable security mechanism. A common reaction to password problems 
is the imposition of constraints. While well intentioned, many of these constraints have 
only exacerbated the problem. Ineffective efforts to make passwords more secure will 


also make authentication more difficult (Smith, 1987). The U.S. Department of 


30 


Defense recommends that user-generated passwords be replaced by system-generated 
passwords (CSC-STD-002-85, 1985). Complicated passwords tend to be forgotten and 
are written down (Ahituv, et al., 1987). 
4. Something a User Can Do 
Closely related to the category of something characteristic of a user is 
identification based on something the user can do, such as write a signature 
(Spender, 1987). Identification based on the user’s ability to perform a specific action 
has advantages and disadvantages similar to authentication based on a_ user’s 
characteristics: both require special equipment in order to read and interpret the 
occurrence. Both systems may be defeated by either knowing the interpreted results 
of the mechanism or gain access to the table containing the occurrence representations 


(Ahituv, et al., 1987). 


B. NEW APPROACHES 

Smith (1987) suggests three new and creative approaches to password 
authentication systems: a biographical model, a personal interests model and a word 
association model. 

1. Biographical Model 

This model is based on biographical data that would normally not be 

available to an intruder. For example, a user’s mother’s maiden name or the first name 
of a users first girlfriend or bovfriend could be used to develop a password. 


Screening of data would ensure that the biographical data could not be found in 


40) 


personnel records. In the above examples, both answers are seldom in personnel 
records and are usually known only by the specific user. Smith postulates one 
problem: users might resent being asked to divulge such information. 
2. Personal Interest Model 
The personal interest model is based on a dialogue between a user and a 
computer by which a computer can assess the validity of an identity claim. A user’s 
habits or opinions can form the basis for development of a password. For example, 
a user’s favorite color or a user’s favorite dessert may serve as the basis of a 
password. Advantages of these two examples are that both answers are not normally 
found in personnel records and are usually known only by the user. Drawbacks of the 
personal interest model are the length of a dialogue session and user resistance to the 
questions. 
3. Word Association Model 
Smith (1987) proposes a system identification test based on the following 
criteria: 
1. quick identification of users through individualistic responses; 


2. entails little recall burden; 1.e., information should have a high degree of 
congeniality; 


3. the process should be designed to minimize user resentment. 
Using these criteria, Smith proposed a password system based on word 
association. Examples of such associations might be the cue "officer’ followed by the 


response of “Navy’. Four advantages were postulated: 


4] 


le reliable identification through uniqueness to an individual, 
2. robustness and resistance to intrusion, 
3. high memorability and 
4. little user resistance by allowing a user to select paired words. (Smith, 1987) 
Smith designed his word association model using two criteria: structure and 
memorability. 
a. Structure 
The system would be implemented by having a user enter a list of 
twenty words as cues. Cues and responses are user selected. Single words were 
selected to ensure higher recall and ease of entry. At an initial session, a user enters 
the paired responses. At a subsequent session, a user 1S prompted by a randomly 
selected cue. In return, an associated response is entered. If a cue and a response 
match, access is granted. As long as stereotype associations such as "blue-sky" are 
avoided, each cue and response is unique to the user and therefore harder to break. 
b. Memorability 
A primary concern was the ability of a user to recall responses over 
an extended time. A group of users were selected as the test population. In a test six 
months after the initial administration, users were asked to recall cues and responses. 
Recall averaged twenty-four per cent for cues and ninety four per cent for responses. 
Eighteen months after the initial administration. the members were again tested. Recall 
averaged twenty nine per cent for cues and eighty six per cent for responses. 


Unfortunately a sample of only four users was used in this test. Nonetheless, the point 


is that cues can serve as memory aids. Users need memory aids to recall passwords 
(Menkus, 1988). User selected passwords are easier to remember (Wood, 1983). 
Being user-selected, responses reflect personal associations. Personal association is 
based on episodic memory which is preferred for password formulation 
(Barton, et al., 1984). 
c. Vulnerability to Attack 

Attack by trying all possible combinations 1s defeated by the sheer 
magnitude of the required effort. In order to successfully break a word association, an 
intruder must know both a cue and its paired response. A cue and response could be 
structured to consist of a minimum of three alphabetic characters and a maximum of 
eight alphabetic characters. This structure yields a minimum of three million possible 
passwords and a maximum of two billion. Without contextual knowledge of word 
pairs, intruders would have little chance of breaking such a system (Smith, 1987). 
Paired cues and responses are stored in tables in memory. The table 1s encrypted to 
reduce its chance of compromise. However, a word association model suffers the same 
problems as other password systems: interception, eavesdropping and monitoring 
(Smith, 1987). 

d. Conclusions 

Smith (1987) found the word association model to be robust and offered 

the following advantages: 
euscr domo! meed tO remember cues, 


2. users do not need a printed cue list as a memory aid, 


3. users do not need to display their entire paired cue response list unless 
conducting periodic changes and 


4. users do not need the response echoed to the terminal screen. 
e. Summary 

The Smith Word Association Model highlights how traditional password 
syStems can be improved to make them more robust and less vulnerable to attack. One 
of the most common complaints concerning passwords is that they offer little resistance 
to a Serious attack (Avame, 1988). The magnitude of the time and effort required to 
break this system is so great that it acts as an effective deterrent to even the most 
Serious attacker. Figure 4-1 evaluates the word association model based on 


Ahituv, Lapid and Neumann’s (1984) criteria described in Chapter II. 


4. 


EVALUATION OF THE 
WORD AssOCIATION MODEL 


CRITERIA MODEL 


EASILY REMEMBERED ? NES 
. HARD TO GUESS BY ASSOCIATION ° YES 
EASY TOskEY=1N. 2 ie 


ATTACKABLE BY SPOOFING 
OR TROJAN HORSE ? YES 


eo eee 
6 EASY TO IMPLEMENT 7 
COST PROHIBITIVE ? 


Nita 
miles 
NO 





FIGURE 4-1 


4. Cognitive Password Model 
An outgrowth of Smith’s (1987) three models is a cognitive password model, 
the main subject of this paper. A cognitive password system uses passwords based on 


perception, intuition, personal interests and personal history; 1.e., Smith’s (1987) 


biographical and personal interest models. 


a. Advantages of Cognitive Passwords 

A biographical model offers the advantage of information not normally 
found in personnel records (Smith, 1987). This information is known only to the user, 
thereby making guessing difficult. A personal interest model affords the advantage of 
easy recall without a need for memory aids (Smith, 1987). Since the information is 
significant to the user, he or she 1s able to remember without a memory aid, thereby 
eliminating the possibility of a password being changed from something known to 
something possessed. 

Since both biographical and personal interest models are used, the 
advantages of each model accrue to a cognitive system. A cognitive password system 
is based on information not normally found in personnel records, on personal 
information and on information that is easily recalled. 

b. Ease of Use versus Security Tradeoff 

The tradeoff between ease of use and security is a major concern of 
security managers (Wood, 1983). The easier a password is to use or remember, the 
less security it offers, normally through requiring a memory aid (Wood, 1983). 
Suniarly, the more security a password offers, the harder it is to use or remember 
(Ahituv, et al., 1987). Figure 3-1 in Chapter III illustrates this tradeoff. A cognitive 
password system resolves this duemma to a greater degree than does traditional 
passwords. A cognitive password is composed of significant events, biographical data, 
personal habits or personal interests As the selected information is significant and 


personal to the user, he or she 1s able to recall the information without the need for 


46 


a memory aid, thereby satisfying the ease of use requirement. The degree of security 
provided hy a password is based on two criteria: need for memory aids and ability to - 
be guessed. The elimination of the need for a memory aid has already been discussed. 
Guessing is a primary method of password compromise (Avame, 1988). Guessing can 
be accomplished through trivial association, such as a spouse’s name and birthday dates 
(Ahituv, et al., 1987). A cognitive password system defeats guessing since cognitive 
passwords are based on information not easily associated with the user. 
c. User-related versus System-generated 

Traditional passwords are developed in two ways: user-selected or 
system-generated. User-selected passwords tend to be simple (Menkus, 1988) and are 
based on trivial association, such as a spouse's name (Ahituv, et al., 1987). While 
easuy recalled, user-selected passwords are easily guessed and therefore afford a low 
degree of security (Ahituv, et al., 1987). System-generated passwords are strings of 
nonsensical characters (Menkus, 1988). A nonsensical string makes guessing harder, 
but it makes remembrance more difficult, thereby requiring memory aids 
(Ahituv, et al., 1987). Cognitive passwords combine the advantages of both types of 
traditional passwords. A user selects a cognitive password based on personal, non- 
trivial information. Since the password is based on significant information, recall is 
high without the need for memory aids. At the same time, Since a selected password 


is not easily guessed, it provides a higher degree of security than traditional passwords. 


47 


i Construction 

Success of password systems is directly related to good construction. 
Cognitive passwords Satisfies the three elements of good construction: length, character 
set and memorability. 

(1) Length. The minimum number of characters compnising a 
password sets the lower security bound (Menkus, 1988). A threshold of 1,000,000 
possible combinations is adequate for most systems (Fisher, 1983). A common length 
is six to eight characters (Wood, 1983). This length is sufficient to deter “brute-force” 
attacks (Wood, 1983) and memory aids are not normally required (Menkus, 1988). The 
implemented cognitive password model is comprised of twenty passwords of a 
maximum of twenty characters each. While not all twenty sets of passwords questions 
and answers are required to gain access, an intruder must know all twenty answers in 
order to ensure entry. A minimum length is not specified, but a minimum of five to 
six characters per answer is anticipated. Assuming a minimum average of five 
alphabetic characters, each set has over 11,000,000 possible combinations. The 
cognitive authentication process allows a maximum of ten questions per session for a 
total of 110,000,000 possible combinations. Any "brute-force" attack will require 
considerable time and effort, thereby either preventing or deterring an attacker 


(Wood, 1983). 


4 


(2) Character Set. Pronounceability, the addition of vowels to 
characters, is a major issue in password construction. Random characters yield the 
highest degree of security (Barton, et al., 1984), but they are neither pronounceable, nor 
memorable (Kurzban, 1983). If passwords are pronounceable, they are more vulnerable 
to attack (Kurzban, 1983). Cognitive passwords offer the advantage of pronounceability 
plus they are less vulnerable to attack. A user selects meaningful answers to cognitive 
password questions. These answers are pronounceable, but since they are not readily 
associated with the user, the answers are less vulnerable to attack. 

(3) Memorability. The degree of memorability determines the need 
for memory aids. Elimination of the need for memory aids protect passwords from 
being changed from something known to something possessed (Porter, 1984). Of the 
two types of long term memory, semantic and episodic, episodic memory 1s 
recommended for password use (Barton, et al., 1984). Episodic memory is based on 
individual and unshared personal experience (Barton, 1984). Cognitive passwords offer 
the advantages of not requiring memory aids and being based on episodic memory. 

e. Summary 

A cognitive password security system surpasses traditional password 
systems in the areas of ease of use versus security, user-selected versus system- 
generated and construction. Chapters V and VI cover research into the memorability 
of cognitive versus traditional passwords. Chapter VII explores a prototype of a 


cognitive password system. 


49 


V. RESEARCH METHODOLOGY 


A. BACKGROUND 

A basic premise of the cognitive password system is that the users provide the 
data upon which the cognitive password challenges are based. This data consists of 
three types: fact-based, interest-based and opinion-based that is normally known only 
to the user. A fact-based challenge asks something that a user knows but is a fact 
independent of a user’s regard, e.g., “What is the name of the elementary school that 
you last attended?" An interest-based item might ask “What is your favorite type of 
music?" An example of an opinion-based question would be "What is you favorite 
flower?” 

Of crucial interest in this research is the memorability of cognitive passwords and 
their susceptibility to guessing by people closely associated with the users. A 
simultaneous test of the recall of system-generated passwords (random alphanumeric 
seven-character strings) and user-created passwords is conducted. If cognitive 
passwords can be shown to possess both a high degree of memorability and low degree 
of vulnerability to guessing, the cognitive password system can be shown to be based 


on a robust foundation that yields high ease of use and a high degree of security. 


SO 


B. METHODOLOGY 
The following is a description of the methodology used in gathering data for this 
paper. 
1. Instrumentation 
To assess the ease of recall for cognitive passwords, three forms of similar 
self-administered questionnaires were developed. A copy of each questionnaire form 
is included in the appendix. Each user-respondent answered the first and third forms 
of the questionnaire, Q] and Q2. They were answered by the primary respondents in 
the study which were designated variously as the user-respondents or the Ql 
respondents. A _ significant-other (spouse. close friend or sibling) for each user- 
respondent completed the second form. This questionnaire was designated the Q2 
form. 
a. Demographic Items 
Both the Q1 and Q3 forms asked for three categones of responses. 
The first part of QJ asked for the respondent's age, sex, years of computer usage, 
types of computer with which they were experienced (mainframe terminal, stand-alone 
micro or micro linked to mainframe) and the last four digits of the respondent’s Social 
Security number. The Q3 form asked only for the Social Security number digits, so 
that it could be matched with its Q] counterpart. The Social Security digits are used 
to mask the identity of individual respondents in the data base of this study, while 


allowing matching of the QI. O2 and O2 fonns during the course of the research. 


t 


b. Creation and Assignment of Passwords 
The second part of QI, but not Q3, asked each respondent to create a ; 
password consisting of any combination of up to eight alphanumeric characters. The 
test group was urged to memorize and safeguard this password as they would any other 
password. They were then asked how they devised this password. Four choices were 
given: (1) does the password represent a meaningful detail such as a name, a date or 
a number; (2) does the password represent a combination of meaningful details; 
(3) does the password represent a random choice of characters or (4) other. The 
second part of QI displayed a unique seven-character password that was assigned to 
each respondent. The password was constructed of a random combination of letters 
and numbers. The respondents were urged to memorize and safeguard this password 
as well. 
c. Cognitive Data Items 
The Q1 and Q3 forms are identical in their third section. In this part, 
20 open response items ask for items of information that were described as cognitive 
data. These data fall into two categories of responses. In the first group, six items 
ask for personal facts that were assumed that only a respondent or someone socially 
close to a respondent would know. For example: elementary school attended, first 
name of favorite uncle, first name of best friend in high school, mother’s maiden name, 
first name of first boyfnend/girlfriend and father’s occupation. In the second group, 
14 interest-based and opinion-hased items ask each respondent to declare a favonite. 


For example: favorite music, favorite color, favorite flower, favorite vegetable and 


Nn 
to 


favorite dessert. Again, the assumption was made that these responses would be known 
only by a respondent or by someone close to him or her. 
d. Items for Recall of Cognitive Data 

In the identical Q3 version of the cognitive data section, the same 
respondents were asked the same questions again approximately three months from the 
first administration. In examining the feasibility of a system of passwords based upon 
cognitive data, the correlation of responses between the QI and Q3 administrations 1s 
of interest. Expectations are that there will be a high correlation between the six fact- 
based cognitive items. Also of interest is to what extent the opmion-based cognitive 
data "favorites" might vary with the passage of time. 

e. Items for Recall of Passwords 

Where QI] assigned a random password and asked for the creation of 
a password, the second part of Q3 asked the same respondents, at a later time, to recall 
these passwords. First after asking each person to recall the password of his or her 
own making, each respondent was asked whether he recalled his password from 
memory or had resorted to writing it down. Secondly, each respondent was asked to 
recall the assigned password on the QI form. The respondents were again asked 
whether they recalled it from memory or had wnitten it down. Expectations were that 
the respondents would recall the passwords they created better than the assigned 
random string of characters. Additionally, of interest was the extent to which the use 


of a written memory aid confounded that expectation. 


‘2 


f. Items to Tap Socially-Close Knowledge of Cognitive Data 

The Q2 significant-other form asked for only two items of identifying 
data. It asked for the last four digits of the user-respondent’s Social Security number 
to be used for matching purposes. It then asked for the relationship of the Q2 
significant-other respondent to the Q1 respondent. The remainder of the Q2 form 
repeated the 20 cognitive data items in the third section of the QI form. The 
significant-other respondent was asked to indicate what he or she thought the Q1l 
respondent would answer to each of the questions. They were asked to complete the 
Q2 form without help from the QI respondent. The Q2 respondents were also asked 
to answer only those items in which they were confident of their responses while 
leaving blank those where they would need to guess at the response. Of interest was 
the level of accuracy at which the Q2 significant-others could match the responses of 
the QI user-respondents. The assumption was that if someone socially-close to a user 
had deficient knowledge of personal cognitive data, then the likelihood of guessing by 
someone socially-distant from the same user would be remote. 

2. Sample and Data Collection Design 
a. QI Response by User-Respondent 

The QI1 questionnaire was administered to 106 graduate students 
majoring in management information systems. The average age of the participants was 
31.8 years in a range from 25 to 41 years. Of the respondents, 76% were male and 
24% were female. They averaged four vears of expertence in using computers. All of 


the respondents had some experience with computers; the average was 4 years and 


9.4% had been using them for less than a year. Forty five percent reported that they 
used some combination of microcomputer and mainframe, 30% said their computer 
experience was limited to microcomputers, while 12% claimed to use only a 
mainframe. 
b. Q2 Response by Significant-Other 
After completing Q1 forms, the user-respondents were given the Q2 
form. They were asked to write the last four digits of their Social Security number 
on the form and then give it to a significant-other of their choosing. They were asked 
to return the Q2 forms within one week. Q2 forms were retumed by 88 or 83% of 
the user-respondents. Of these, seven contained missing data, yielding 81 or 76% 
complete Q2 forms. Of the significant-others responding, 75% were spouses, 20% were 
friends and 5% were siblings. 
c. @Q3 Response by User-Respondent 
The Q3 version of the questionnaire was administered to the same user- 
respondents approximately three months after the Ql] administration. Again, the 
administration was to the same test group that had completed Q1 forms. Of the 


original 106 Q1 respondents, 99 or 93% participated in the Q3 admunistration. 


C. TABULATION 
Upon completion of the administration of the Q1, Q2 and Q3 questionnaires, the 
data was tabulated and analized using standard statistical methods. Chapter VI explores 


the findings and results from the questionnaires. 


35 


VI. DATA ANALYSIS 


A. FINDINGS 
1. Recall of Passwords 
Table 1 reflects the ability of the user-respondents to recall both the assigned 
password and the self-selected password. Of the user-respondents, 35.4% were able to 
accurately recall the password which they had created themselves three months earlier. 
Slightly over 23% of these user-respondents were able to recall the assigned seven- 
character random string password. Fourteen people accurately recalled both their self- 


generated password and the assigned password. 


CONVENTIONAL PASSWORD RECALL 


NUMBER PERCENT 


Jail WHO WHO 

PASSWORT RECALLED RECALLED 

Self- generated gS 39.4 

Assianed ae one 
TABLE 1 


S56 


The password recall results immediately provoke the question as to how the 
user-respondents were able to reproduce either of the two passwords three months later. 
Table 2 shows that 86% of the user-respondents reported that they recalled their self- 
generated password from memory without writing it down. The remaining 14% 


reported that they wrote down their self-generated passwords. 


METHOD OF 
CONVENTIONAL PASSWORD RECALL 

Peer 
METHOD OF aia PASSWORD 
RECALL GENERATED ASSIGNED 
From memor y B5% 34% 
Written down 44% 66% 
T5*2 1909. 100% 


TABIER SZ 


The expected opposite effect 1s found in the case of the assigned random- 
String password. When this password was assigned on the Q1 form, the likely 
response may have been that it was nonsensical and lacked any mnemonic character. 
This may have been motive enough for the user-respondents to write it down as, 
indeed, 65.8% of them did. Nonetheless, using a password of their own making and 


being confident that they would not need to write it down, only 35.4% of the 


7 


respondents could recall it three months later. Even where the user-respondents were 
sure they had to wnite it down, as in the case of the difficult-to-memorize assigned _ 
password, only 23.2% could recall it by the time of the Q3 administration. Apparently, 
people who could not recall their passwords also could not recall where they have 
written them down. 

A meaningful detail was described to the respondents on the Q1 form of the 
questionnaire as an item such as a name, a date or a number. Table 3 shows that a 
overwhelming proportion, 77.2%, used some form of meaningful detail to create their 


own passwords. 


METHODS OF 
CREATING SELF-GENERATED PASSWORDS 


METHOD NUMBER PERCENT 
Meaningful deta! 49 46) 
Combination of meaninaful 
detaiic 32 Boe 
Random cnarecters B I 
Otner 16 flione 

TAREE 4 


S& 


2. Recall of Cognitive Data by User Respondents 

The overall average number of correct matches by the user-respondents on 
all cognitive data questions between Qi and Q3 was 16.3 out of 20 questions or 82%. 
Figure 6-1 reflects this distribution. Of interest is the congregation of the success rate 
of these user-respondents at the high end of the spectrum. While somewhat skewed, 
the distribution approximates that of a normal curve. The lowest level of success was 
13 correct matches (65%) of cognitive data items out of a possible 20. The modal 
range is 15 to 17 correct responses (75% to 85%). Of interest is the comparison of 
the level of these responses on cognitive data with the responses for the two types of 
passwords recalled over the same period. The best password response was 35.2% for 
the self-generated passwords. On the cognitive data continuum, the number of correct 
matches for self-generated passwords would be equivalent to obtaining only seven 


correct cognitive matches. No respondent scored that poorly on cognitive data. 


Sy 


DIS TRIBUMG@INS@Es@1-O JaMiAnGriEs 


NUMBER OF RESPONSES 


‘ 
| 


cee | 
123.45 6 7 B 910 191213 14 15 1617 18 1920 
QUESTION NUMBER 





FIGURE 6-1 


The success of these user-respondents in recalling cognitive data items over 
a three-month period is expressed in the percentage of correct matches that were 
produced on the Q3 form. The average for the fact-based cognitive items was 94.1% 
(Table 4). Only one of the responses was below 90%. Again, recall of self-generated 


passwords was 32.2%. 


60 


USER- RESPONDENT MATCHING ON 
FACT- BASED COGNITIVE DATA ITEMS 


NUMBER PERCENT 


WHO WHO 
MATCHED MATCHED 
ITEM CORRECTLY CORRECTLY 
Wnat 1s the name of the elernentary 
Schoo! from which you graduated ? 93 93.9 
wnat is the name of your 
favorite uncle 7 Ba 8B.9 
what 1s the name of your 
best friend in nigh schoo! ? g 9.9 
wha: 1s your motne’ 5 maiden name ? 96 970 
wnat was the first name of your 
first boyfriend or girlfriend ? 94 Q4 9 
what is the occupation of your father ? 92 99.0 
TABLE 4 


As expected, the success rate for recall of the interest-based and opinion- 
based cognitive items 1s somewhat lower than that for the fact-based items. 
Nonetheless, the average percentage of correct responses produced on the Q3 form was 
87.9%. The matches on a third of these items was over 90%. Only one item had a 
match rate helow &0%. Tables 5. 6 and 7 portray the matching for interest and fact- 


based cognitive data items. 


61] 


USER= RESPONDENT MAICAING ONAN Pea Base 
AND OPINION- BASED COGNITIVE DATA ITEMS 


NUMBER PigmaCeEN? 


WHO WHO 
MATCHED MATCHED 
TeV CORRECTLY CORRECTLY 
What was the name of your 
favorite class in high schoo! ° 80 80.8 
What 1s the name of your 
favorite music performer or group ° Ue 74.7 
What Is your favorite type of music ? 86 86.9 
What is the name of your favorite 
vacation place * 84 Bale 


lf you could travel to amy country iin 
the world, which would tt be ? B5 85.9 


TABLE 5 


USER- RESPONDENT MATCHING ON INTEREST- BASED 
AND OPINION- BASED COGNITIVE DATA ITEMS 


NUMBER PERCENT 


WHO WHO 
MATCHED MATCHED 
CORRECTLY CORRECTLY 
ITEM 
What 1s the last name of your 
favorite actor or actress ? 83 838 
ynat iS your favorite flower ? 94 oes 
What 1S your favorite dessert ° 90 se) 
What iS your favorite vegetable ° BD or 
What 1s your favorite fruit ? 86 Bee 
wnat iS your favorite color ? Sle 95.0 
TABLE 6 


63 


USER-RESPONDENT MATCHING ON INTEREST-BASED 
AND OPINION-BASED COGNITIVE DATA ITEMS 


NUMBER PERCENT 
WHO WHO 
MATCHED MATCHED 
CORRECTLY CORRECTLY 


ITEM 
I you could change occupations, which 
new oCCupation would you Choose ° Je 32.3 
What is the name of your 
favorite restaurant ° 6B / 87.3 
What is the last name of your 
favorite college inStructor ° oe Seal 


TABLE 7 


64 


3. Matching of User-Respondent Cognitive Items by 
Significant-Others 


The average number of correct matches by significant-others on all cognitive 
data questions from the Q2 form was 5.4 out of 20, or 27%. Figure 6-2 reflects the 
distribution of the correct matches. Again, the distribution approaches that of a normal 
curve. The distribution curve emphasizes the success rate of the significant-others and 
is skewed toward the low end of the spectrum. The highest level of success was 10 
correct matches (50%) of cognitive data items out of a possible 20. The modal range 
is 4 to 7 correct responses (20% to 35%). Comparing the distribution of the profile 
in Figure 6-2 with that in Figure 6-1, there is no overlap. The user-respondents ability 
to recall cognitive items dwells in the range of 13 to 20 successful matches (out of 20) 
while the ability of the socially-close significant-others to know how the users would 


respond gravitates toward the range of zero to 11. 


6S 


OTST REE Gul GCs] 1G) ete ete 


Hy NUMBER OF RESPONSES 


0 
123 4 5 6 7 6 3 10 11 12 1314 15 16 17 18 19 20 
QUESTION NUMBER 





FIGURE 6-2 


These significant-other respondents are assumed to be the people closest to 
the user-respondents: spouses, boyfriends or girlfriends and siblings. Yet, even they 
do not have correct knowledge, on average, of more than 70% of the items of personal 
information and personal preferences of the user-respondents. 

The difficulty the significant-others had in matching the cognitive data 
answers of the user-respondents is confirmed in the average percentage score for fact- 
hased cognitive items: 369% (Table &) The assumption was made that the fact- 
based items would be better known by a socially-close other than would the opinion- 
based items. The data confirm this assumption as examination of the matches on 


interest-based and opinion-based items reveals below. Nonetheless, even though the 


66 


socially-close others are precisely the people who should know better than anyone else 
the personal facts about the user-respondents, they knew only about a third of the 


correct responses. 


USER- RESPONDENT MATCHING ON INTEREST- BASED 
AND OPINION- BASED COGNITIVE DATA ITEMS 


NUMBER ie ial 


WHO WHO 
MATCHED MATCHED 
TEN CORRECILY CORRECTLY 
Wnat IS the last name of your 
favorite actor or actress 7 BS 83 8 
Wet 1S your favorite flower ? 94 34.9 
Wnat 1S your favorite dessert ? 90 90.0 
Wnat 1S your favorite vegetable ? 85 859 
wnat is your favorite fruit ? B5 86.3 
Wnat 1S your favorite color ? 95 36.0 
TABLE 8 


As expected, the significant-others know less about the personal preferences 
of the user-respondents (Tables 9. 190 and 11) than they know about the user- 
respondents’ personal facts. The average percentage score of matches for the 14 


opinion-based items is 22.9%. 


An assumption was made that the significant-other respondents are the 
people in the best position to possess personal knowledge about the user-respondents. 
The significant-others (spouses, siblings and boyfriends or girlfriends) were assumed, 
in a social context, to have superior personal knowledge of the user-respondents. Of 
interest is the ability of gauging just how much personal knowledge is held by socially- 
close people. A further assumption is that the accuracy of personal knowledge would 
decrease as soon as even the slightest social distance was introduced. 

To examine this social-distance notion of decreasing personal knowledge, the 
average number of correct matches was calculated on the overall set of 20 cognitive 
items for the 62 spouses and the 16 friends. The average number of correct matches 
for spouses was 5.8 (29%); the average for friends was 3.15 (16%). The difference 
between the two is 54%. To the extent that “friends” can be assumed to be socially 
more distant than spouses (however slight that might be), the assumption of social- 


distance affecting personal knowledge has mertt. 


68 


SIGNIFICANT-OTHER MATCHING ON INTEREST- BASED 
AND QPINION- BASED COGNITIVE DATA ITEMS 


NUMBER Pema 


WHO WHO 
MATCHED MATCHED 
TEN CORReECILY Ve@RRECTLY 
Whet wes the name of your 
favorite class in high schoo! ? 12 14 6 
What Is the name of your 
favorite Music performer or group ? 24 2B 9 
Wnei 1s your favorite type of music ? 26 J ia 
What is the name of your favorite 
vacation place ° 18 Cann] 
if you could travel to any coumiry in 
tne world, whicn would it be ? OU 24.1 
TABLE 9 


69 


SIGNIFICANT-OTHER MATCHING ON INTEREST- BASED 
AND OPINION- BASED COGNITIVE DATA ITEMS 
NUMBER PERCENT 
WHO WHO 
MATCHED MATCHED 
CORRECTLY CORRECTLY 


ITEM 

What is the last name of your 

favorite actor or actress 12 eS 
What is your favorite flower ? 28 Sel. 
What 1S your favorite dessert ? 18 21.7 
What is your favorite vegetable ° 20 24.1 
What Is your favorite fruit ° 14 16.9 
What is your favorite color ? a4 Seni 


TABLE 10 


70) 


SIGNIFICANT- OTHER MATCHING ON INTEREST- BASED 
AND OPINION- BASED COGNITIVE DATA ITEMS 


NUMBER ete = Nil 


WHO WHO 
MATCHED MATCHED 
TEI CORRECTLY CORRECTLY 


lf you could change occupations, which 
new occupation would you choose ? 11 as) 


Whet is the name of your 
favorite restaurant °? O71 29.3 


Whei 1s the last name of your 
favorite college instructor ° 8 i 


TABLE 11 


7 | 


5. Discussion of Findings 
a. Recall of Passwords 

Over a three-month period, no more than 23.2% of the respondents 
could recall their system-generated, assigned passwords. This percentage includes the 
nearly two-thirds of the respondents who wrote down their assigned passwords. This 
was the case even though the assigned passwords did not exceed seven characters, the 
accepted limit to human short-term memory (Miller, 1956). 

Over the same period, no more than 35.4% of the same respondents 
could recall the passwords that they had created themselves. Again, this maximum 
recall included the 14% of the respondents who wrote down their self-generated 
passwords. 

b. Recall of Cognitive Data 

After three months, the respondents recalled, on average, 82% of their 
cognitive passwords. None recalled fewer that 13 (65%) of the 20 cognitive passwords. 
Over 6% of the respondents recalled all 20 items. When the fact-based cognitive data 
items was analyzed separately, the recall averaged over 94%. The recall performance 
on the interest-based and opinion-based cognitive data items was somewhat lower than 
for the fact-based items. On average, 87.9% of the interest-based and opinion-based 
items were recalled. 

Recall of the cognitive data items was noticeably better than it was for 
either the assigned or self-generated conventional passwords. Overall. the findings in 
this study demonstrate an ease of recall for cognitive passwords that is superior to that 


of conventional passwords. 


c. Guessing of Cognitive Data 

The people who are socially close to the user-respondents (spouses, 
close friends and siblings), on average could guess no more than 27% of their users’ 
cognitive data responses. Only one significant-other could guess as many as 10 out of 
20 items. The modal responses were six and seven out of the 20. Four significant- 
others could not guess any of their respondents’ choices correctly. 

When the guessing of fact-based cognitive items were analyzed 
separately from interest-based and opinion-based items, the results were as expected. 
People close to the user-respondents could guess fact-based items better than they could 
guess interest-based or opinion-base items. On average, the significant-others guessed 
36.9% of the fact-based items while averaging only 22.9% for the interest-based and 
opinion-based cognitive data. 

A test of the notion that people more socially close to user-respondents, 
such as spouses, ought to be better guessers than those even slightly removed, such as 
close friends and boyfriends or girlfriends showed it to be true. The average number 
of correct guesses for spouses was 5.8 (29%) compared to 3.15 (16%) for non-spouse 
significant others. 

d. Summary 

These findings demonstrate that while cognitive passwords are easy for 

users to recall, they are difficult for others to guess, even others who are socially close 


to the users. 


~) 
pa 


VIE, IMPLEMENTATION 


A. STRUCTURE OF THE COGNITIVE PASSWORD SECURITY MODEL 
The cognitive password security model encompasses user password 
development and a system-generated identification number along with physical security. 
Implementation is accomplished through two major modules: system administrator and 
user. These two modules support the two main types of participants in this cognitive 
password system: a system administrator and one or more users. A brief description of 
both the system administrator and the user module follows. 
1. System Administrator Module 
The system administrator module is protected by three layers of secunity: 
physical security, segregation from other programs and a unique identification number 
known only to the system administrator. Access to the system administrator module 
will only be granted through the system administrator’s terminal located in his or her 
office. This layer of physical security requires any unauthorized user to gain access 
to the system admunistrator’s office in order to attempt intrusion. Both the system 
administrator module and the user module were constructed as separate programs so 
that access to one would not grant access to the other. A unique identification number 
known onlv to the system administrator must be entered into the system upon program 
initiation. In summary three conditions must be met in order to gain access to the 
system administrator module: access to a particular office, access to the program and 


knowledge of the unique identification number. 


74 


Upon initiating the system administrator module, the system administrator 


must respond to a query for his or her identification number as illustrated in 


Figure 7-1. 


PLEASE ENTER YOUR ID NUMBER 


POMPOM EL Ol <ENTER= 





FIGURE 7-1 


When the identification number is entered, it is checked to ensure 


COrrectness. 


If incorrect, an error message is displayed and access is denied. If 


correct, the System Administrator Main Menu 1s displayed with its 6 options as shown 


in Figure 7-2. 


Ue 


SYSTEM ADMINISTRATOR - MAIN MENU 


A - Add a new user 

M - Modify a user s profile 
D - Delete a users profile 
V - View a users profile 


U - Unlock a user's profile 
E - Exit from system 


select Option ____ and press < ENTER > 





FIGURE 7-2 


a. Option A - Add a New User 
This option is used to add a new user to the cognitive password system. 
Upon selection, a random number generator assigns a five digit identification number 
to the user. After the user is told his or her identification number, the user through 
the system administrator responds to the 20 question database. In addition, the system 
administrator sets the account status indicator to active. The status indicator, when set 
to active or 1, allows a user to access the user module. If set to frozen or O, a user 


will not be allowed to use the user module. Figure 7-3 shows a sample of a question 


display. 


70 


WHAT 1S THE NAME OF THE ELEMENTARY 
SCHOOL FROM WHICH YOU GRADUATED ? 


PRESS < ENTER > AFTER ENTERING 
ANSWER |! 





FIGURE 7-3 


b. Option M - Modify a User’s Profile 
Modify is used to change an existing profile. When selected, the 
System administrator 1s prompted for a user’s identification number. Once a user’s 
profile is located, the system administrator is prompted for the question number to be 
affected by the change. The question, the current answer and a prompt for a new 


answer 1s displayed as shown in Figure 7-4. 


7] 


QUESTION 1 | 


WHAT IS THE NAME OF THE ELEMENTARY 
SCHOOL FROM WHICH YOU GRADUATED ? 


CURRENT ANSWER IS ° 


ENTER NEW ANSWER - MAXIMUM OF 
20 CHARA Ceo 


PRESS < ENTER > AFTER ENTERING | 





FIGURE 7-4 


c. Option D - Delete a User’s Profile 
Delete is used to remove a user’s profile from the cognitive password 
database. Reasons for removal may be that a user no longer requires access or that 
a user 1s no longer associated with the organization. The system administrator selects 
the delete option and is prompted for a user’s identification number. When the specific 
account is located. its identification number and its answer database is removed from 


the password database as illustrated in Figure 7-5. 


78 


USER PROFILE DELETED | 





FIGURE 7-5 


d. Option V - View a User’s Profile 
View is used to display the answer database for a particular user. The 
system administrator is prompted for a user’s identification number. When located, a 
user Ss entire account 1s displayed as shown in Figure 7-6. No modifications can be 


made from this option. 


a 


USEH PROFILE 


STATUS 
ANSWER 
ANSWER 
ANSWER 
ANSWER 
ANSWER 
ANSWER 
ANSWER 
ANSWER 
ANSWER 
ANSWER 10 
ANSWER 11 
ANSWER 12 
ANSWERS 13 
ANSWER 14 
ANSWER 15 
ANSWER 16 
ANSWER 17 
ANSWER 168 
ANSWER 19 
ANSWER 20 


OM YUM] UNTA wWwM > 





FIGURE 7-6 


e. Option U - Unlock a User’s Profile 

Unlock is used to change the account status indicator. If the status 
indicator is set to Q, the account is frozen and access to the user module is not 
allowed. If set to 1, the account is active and access 1s allowed to the user module. 
The account status indicator can be set at three times: when adding a new user, when 
modifving the profile of an existing user and when a user has failed after two attempts 
to furnish the appropriate answers to the questions asked in the user module. The 
unlock option is used by the system administrator to reactivate an account. When 


selected, the system administrator is prompted for a user’s identification number. After 


80) 


locating a user’s file, the current status indicator is displayed along with the option of 


changing it as shown in Figure 7-7. 


CURRENT STATUS = __ 


DO YOU WANT TO CHANGE THE STATUS ? 
Yor N 


OE ea EN bee ole CIING.! 





FIGURE 7-7 


ff. Option E - Exit from System 
Exit is used to save all records and exit from the cognitive password 
system. When selected, all records are written to the database and the user 1s asked 
if he or she wishes to return to the System Administrator Main Menu. If a user 
answers "no', control is returned to the operating system. Figure 7-8 shows the exit 


screen. 


& | 


ALL RECORDS HAVE BEEN SAVED ! 


DO YOU WANT TO GO BACK TO THE 
MAIN MENU ? Y or N 


PRESS < ENTER > AFTER SELECTING ! 





FIGURE 7-8 


2. User Module 

After a user has established his or her account, a user will interface only 
with the user module. The only exceptions would be if a user’s account is frozen or 
if a user desired to modify an answer. 

The first test faced by a user attempting to gain access through the user 
module is to enter his or her identification number. When entered, the identification 
number is checked for correctness. If incorrect, a user is given additional opportunities 
to enter the correct number. If correct, a user proceeds to the question and answer 


phase. A maximum of two attempts is allowed before the respective account is frozen. 


a. Attempt One 

When a user’s identification number is evaluated as correct, he or she 
is instructed that five questions will be asked as shown in Figure 7-9. After this 
informational screen is displayed, five randomly selected questions are selected and 
displayed one at a time, Figure 7-10. A user responds to each question. After all 5 
questions have been answered, the responses are compared to the answers stored in the 
answer database. If correct, access is granted, Figure 7-11. If incorrect, access is 
denied, Figure 7-12, and the user proceeds to the second attempt. No error messages 
are given to indicate if any answers are incorrect. This is a security feature to prevent 


a potential intruder from attempting to guess the appropriate answers. 


YOU WILL Be ASKED 5 QUESTIONS IN 
ORDER TO AUTHENTICATE YOUR ACCESS 


PLEASE LIMIT EACH ANSWER TO 


20 CHARACTERS 


one eocCeare ker 10 SIAR 





FIGURE 7-9 


§3 


WHAT 1S THE NAME OF THE ELEMENTARY 
SCHOOL FROM WHICH YOU GRADUATED ? 


PRESS < ENTER > AFTER ENTERING ! 





FIGURE 7-10 


ACCESS GRANTED ! 


PRESS THE ESCAPE RE seco iN @es! 





FIGURE 7-11 


&-4 


ACCES5 WeNiED 7 


YOU WILL BE GIVEN ONE MORE 
OPPORTUNITY | 


PREoo) line GocCAPe Ker (0 CONTINUES 





FIGURE 7-12 


b. Attempt Two 

Five questions are randomly selected from the question database. 
Safeguards have been built into the cognitive password system to ensure there will be 
no duplication of questions between attempt 1 and attempt 2. Each question is asked 
in the same fashion as in attempt 1, Figure 7-10. After responses are obtained, each 
answer is compared against the respective answers stored in the answer database. If 
correct, access is granted, Figure 7-11. If incorrect, four actions occur: access 1s 
denied, the account is frozen by automatically changing the account status indicator 
to 0. the user is instructed to contact the svstem administrator hefore attempting further 


use and the user 1s exited from the system. Figure 7-13 illustrates the access denial 


display. 


8S 


ACGEss DENIED } 


YOU MUST CONTACT THE 
SYSTEM ADMINISTRATOR IN ORDER TO USE ! 





FIGURE 7-13 


Figure 7-14 summarizes the logic of the user module. 


86 


ENTER ID 
NUMBER 


NO 


SELECT 5 


QUESTIONS 
YES 
— 
<2 


NO ENTER 
[ ATTEMPT ANSWERS 
NO v 


ANSWERS 


| ¥ YES 


eee ee GRANT 
'SEND ALERT, IK ACCESS 
—> (EXIT 


MESSAGE 





FIGURE 7-14 


$7 


GS: Sample Case 

The system administrator is the focal point of a security system. If a system 
is large enough, a systems administrator may delegate specific functions to assistants, 
such as a systems security manager. While a security manager is primarily responsible 
for the security of a computerized system, the system administrator remains overall 
responsible. In this discussion and in the following example, a system administrator 
retains all responsibilities and therefore, is the primary point of contact. 

Initially, a potential user meets with the system administrator in the 
administrator’s office to start a sequence of events culminating in a user being granted 
access to the system as an authorized user. The first order of business is to verify a 
user's need to access the information system. Verification should be obtained 
independently of a user; 1.e., a potential user should not be allowed to furnish his or 
her own verification. An ideal scenario is for verification of need to be accomplished 
prior to an initial meeting. If unable to do so, a potential user should not be granted 
an interview until verification is satisfactory. Proof of need may take various forms: 
a written or electronic request from a potential user’s department head transmitted 
independently of a potential user or a valid organizational identification card matched 
with an authorized request such as a validated course enrollment form. After this 
initial step is complete, step 2, familiarization with appropriate rules and regulations, 
takes place. 

A list of do’s and don'ts should be compiled in layman's terms. Each 
potential user should be required to read this list and ask any questions he or she 


desires. Once a potential user understands the rules and regulations, he or she should 


8& 


sign acknowledging understanding and receipt of a copy. Only after the systems 
administrator has verified need and is satisfied that the potential user understands the 
procedures, should a potential user be recognized as a new user. 

At this stage, step 3, the systems administrator will activate the system 
administrator module and initiate the user’s profile. An identification number is 
generated and assigned and the responses to the 20 questions in the question database 
are entered into the answer database. Each answer is given verbally, thereby 
eliminating the need to commit any answers to paper. By elimination of paper media, 
the msk of a user committing any of the answers to writing is reduced. This security 
safeguard helps ensure that the password answers will not transition to something 
possessed as opposed to something known. Upon completion of this step, a user is 
now authorized to use the user module. 

Step 4 is the user log-in process. When a user activates a terminal, the 
cognitive password system is automatically accessed. A user will be first asked to enter 
his or her identification number. If the identification number is not valid, the user wil 
receive additional opportunities to enter the correct identification number. If correct, the 
user will be asked five questions. The responses to these questions are compared to 
the stored answers asked at the time the user first initiated his or her profile. If the 
answers match, access is granted. If incorrect, the user is asked five additional 
questions. Again the responses to the second set of questions are compared to the 
stored answers. If correct. access is granted. If incorrect, access is denied. the account 
is frozen and the user is exited from the system. Further use of the computer system 


is denied until the unsuccessful user meets with the system administrator. 


89 


VI. CONCLUSIONS AND RECOMMENDATIONS 


A. YES! THERE IS A BETTER WAY! 

In Chapter IV, the question "Is there a better way?" was asked conceming 
passwords. The foregoing research confirms that passwords can be made to be more 
effective and yield a high degree of security. 

1. The Inadequacy of Traditional Passwords 

This study outlines the problems found in traditional passwords: hard to 
remember, easy to guess, written down on paper, low level of security provided and 
user resistance. At the same time that traditional passwords were being criticized, they 
remained the most common form of computer access control. 

Traditional passwords have not kept up with the rapid advances in 
information systems technology. The widespread proliferation of networks and users’ 
desires to be able to access computer systems from basically anywhere in the world 
has caused traditional passwords to fall from favor. While still widely used, users have 
decreasing confidence in their capability to provide adequate security. The need to find 
a better password has brought password variations such as cognitive passwords to the 
forefront. 

2. Advantages of Cognitive Passwords 

This research has shown that cognitive passwords indeed offer several 


advantages over traditional passwords. 


90 


a. User Selection 
Cognitive passwords allow a user to select the password. As has been 
shown, user selected passwords enjoy a high degree of memorability and low user 
resistance. The survey conducted with this study confirms this advantage. Of the test 
group, 23.2% could recall the system generated assigned password, 35.4% could recall 
the user selected password and 82% could recall their cognitive password. This 
marked increase in ability to recall portends well for cognitive passwords. 
b. Difficulty of Guessing 
A goal of any security system is to deter potential intruders from 
attempting to gain entry through guessing. Cognitive passwords demonstrate that 
indeed they are difficult to guess. People that are socially close to the user-respondents 
could guess only 27% of the cognitive passwords. People that could be assumed to 
be the closest to the user-respondents, spouses, fared little better. They could only 
guess correctly 29% of the time. The assumption that people not socially close to the 
user-respondents, such as friends. would have an even more difficult time in guessing 
cognitive passwords were confirmed by this research. Friends could only guess 16% 
of the cognitive passwords. 
c. Ease of Memorability 
The degree of memorability correlates directly with the ease of 
guessing. Users tend to select easy to remember passwords, pnmarily meaningful items 
or details The classic examples are spouses’ names or hirthday dates. While easy to 
remember, the passwords were unfortunately easy to guess. Little effort 1s needed to 


guess the traditional password. As stated in section (a) above, the marked increase in 


7) 


the degree of recall of cognitive passwords compared to system generated or user 
selected passwords 1s significant. 
d. Use of Episodic Memory 

Research into the development of effective passwords indicate that 
passwords based on episodic memory are most effective. The advantage of episodic 
memory is that it is based on meaningful details that is mostly unshared with anyone 
else. Cognitive passwords are built upon this premise. Unshared memory is more 
difficult to guess and would not normally be written down in personnel files. Barton 
(1984) indicated that good formulation produces passwords that are distanced enough 
in form from ordinary experience to make compromise unlikely. Cognitive passwords 
are based on items and details known normally to the user. 

e. Construction 

Menkus (1988), Fisher (1983) and Kurzban (1983) listed three 
characteristics that directly affected good construction of passwords: length, character 
set and memorabiulity. 

(1) Length. The longer the password, the more difficult it is to guess, 
and therefore the more secure it is (Wood, 1983). A cognitive password system based 
on 20 questions each of a maximum length of 20 characters yields a robust base. 

(2) Character Set. While passwords constructed of random characters 
yield the highest degree of security, practicality dictates character sets that can be 
remembered. The most common solution to this problem is the addition of vowels to 
characters to make the password memorable and therefore easier to use. The larger 


the character set, the larger the number of possible combinations. Length coupled with 


the character set determine how robust a password will be. The current implementation 
uf a cognitive password system has sufficient length and character set to yield a rubust, 
effective security system. 

(3) Memorability. As previously stated, cognitive passwords have 
been demonstrated to be easier to recall than either system generated or user selected 
passwords. One factor that greatly improves memorability is the ability of a user to 
construct his or her own password. As has already been shown, cognitive passwords 
take advantage of this user selection. In fact, cognitive passwords combines the 
advantages of user selection and a user’s innate desire to select meaningful detauls. 
The synergism of user selection and meaningful details yields a rich and effective 
password security system. 

3. Degree of Security 
The degree of security provided by any password system is a function of 
user acceptance. If a system is difficult, the system will be either not used or 
circumvented. Cognitive password systems offer the advantages of high memorabiulity, 
ease of use, user Selection and little user resistance. 
4. Implementation of a Cognitive Password System 
How difficult would a cognitive password system be to implement? As part 
of this study, a prototype of such a system was built and implemented. The prototype 
was coded in Pascal and designed for a stand-alone microcomputer. The system was 
found to be easy to understand. inexpensive to implement and easv to maintain. 
Adaptation of this prototype to a network, a minicomputer or a mainframe computer 


could be accomplished with a minimum of effort. 


5. Summary 


Cognitive passwords have been shown to be an effective computer security 


mechanism. Ahituv, Lapid and Neumann’s evaluation model relative to cognitive 


passwords is illustrated in Figure 8-1. 


EVALUATION OF THE 
COGNITIVE PASSWORD MODEL 


CRITERIA MODEL 


1. EASILY REMEMBERED ° 
2 HARD TO GUESS BY ASSOCIATION ? 
SeVEASY TOUKET=aive 
4. ATTACKABLE BY SPOOFING 
OR TROJAN HORSE ” 
Sasi >| Wie 
6. EASY TO IMPLEMENT ? 
7. COST PROHIBITIVE ? 


TES 
(eS 
Mie 


es 
YES 
MES 
NO 





FIGURE 8-1] 


94 


B. RECOMMENDATIONS 

This study shows that cognitive password systems can be an effective computer 
security mechanism. Further research into cognitive passwords is recommended. 
Closely related to cognitive passwords, is the area of associative passwords. 
Smith (1987) has conducted preliminary research in this area. Research into how 


associative passwords relate to cognitive passwords is recommended. 


95 


APPENDIX 


THESIS QUESTIONNAIRE QI - COGNITIVE PASSWORDS 


BACKGROUND: The purpose of this questionnaire is to develop a sample database 
of appropriate questions and answers to be utilized in developing a prototype of a 
cognitive password system. 


PART A: PERSONAL INFORMATION 
Please answer the following questions: 





Age 


Gender: Female , Male 


Last four digits of SSN 
Number of years experience, if any, in computer usage: 


Type of computer(s) used prior to NPS (check any that apply): 
a. Microcomputer 
b. Microcomputer linked to a mainframe _____ 
c. Mainframe terminal ___ 


PART B: PASSWORDS 


1. Please construct and write in the space provided below your own password, up to 
8 characters (letters and/or numbers). Try to memorize and safeguard it as you would 
any other password. 


2. How did you choose your password in (1) above? 
a. A meaningful detail (name, date, number, etc.) 
b. A combination of meaningful details 
c. A randomly chosen combination of characters ___ 
d. Other (Please specify) 


3. The following password has been assigned to you for this study. 
Please memorize and safeguard it as you would any other 
password. 


a 


96 


THESIS QUESTIONNAIRE QT - COGNITIVE PASSWORDS 





Page 2 of 3 


PART C; Cognitive Questions For Passwords 


Please answer all questions with a maximum of 20 characters. 


L. 


What is the name of the elementary school from which you 


graduated ? 


os 
5. 


What is the first name of your favorite uncle ? 


What is the first name of your best friend in high school? 


. What is your mother’s maiden name? 


5. What was the first name of your first boyfriend/girlfriend? 


. What was the name of your favorite class in high school? 


. What is the name of your favorite music performer or group? 


8. What is your favorite type of music? 


lal 


12. 
Ls 
14, 
FD) 
16. 
EP 


18. 


. What is the name of your favorite vacation place? 
10. 


If you could travel to any country in the world, which would 
it be? 


What is the last name of your favorite actor or actress? 


What is your favonte flower? 
What is your favorite dessert? 
What 1s your favonte vegetable? 
What is your favorite fruit? 
What 1s your favorite color? 


If you could change occupations, which new occupation would you choose? 


What is the name of your favorite restaurant? 


97 


THESIS QUESTIONNAIRE QI - COGNITIVE PASSWORDS 
Page 3 of 3 





19. What is the occupation of your father? 


20. What is the last name of your favorite college instructor? 


OR 


THESIS QUESTIONNAIRE Q2 - COGNITIVE PASSWORDS 
Last four digits of SSN , Relationship 





RACKGROUND: The purpose of this questionnaire is to develop a sample database. 
of appropriate questions and answers to be utilized in developing a prototype of a © 
cognitive password system. Please try to answer the following questions REGARDING 
THE PERSON WHO GAVE YOU THIS QUESTIONNAIRE, without his/her help. 


Please answer the following questions with a maximum of 20 characters. Leave blank 
if you don’t know the answer! 


1. What is the name of the elementary school from which he/she graduated ? 


2. What is the first name of his/her favorite uncle ? 


3. What is the first name of his/her best fnend in high school? 


4. What is his/her mother’s maiden name? 


5. What was the first name of his/her first boyfriend/girlfriend? 


6. What was the name of his/her favorite class in high school? 


7. What is the name of his/her favorite music performer or group? 


8. What is his/her favorite type of music? 


9. What is the name of his/her favorite vacation place? 


1N Tf he/she could travel to anv conntry in the world, which would 


it be? 


11. What is the last name of his/her favorite actor or actress? 


ON 


Ze 


13. 


15% 


10. 


17. 


18. 


19. 


20. 


THESIS QUESTIONNAIRE Q2 - COGNITIVE PASSWORDS 
Page 2 of 2 
What is his/her favorite flower? 


What 1s his/her favorite dessert? 


. What is his/her favorite vegetable? 


What is his/her favorite fruit? 
What is his/her favorite color? 


If he/she could change occupations, which new occupation would he/she choose? 


What is the name of his/her favorite restaurant? 


What 1s the occupation of his/her father? 


What is the last name of his/her favorite college instructor? 


mele) 


THESIS QUESTIONNAIRE Q3 - COGNITIVE PASSWORDS 


BACKGROUND: The purpose of this questionnaire is to determine how well a person 
can remember the answers previously given in the first questionnaire. Please answer 
to the best of your ability. 

PART A: PERSONAL 

Last four digits of SSN 

PART B: PASSWORDS 


1. Please write in the space below the password you developed and wrote on the first 
questionnaire. 


2. How did you remember your password in (1) above? Please be honest! 


a. Committed to memory _____ 
b. Wrote on paper ____ 


3. On the first questionnaire, you were assigned a password. Please write that password 
in the space below. 


4. How did you remember your password in (3) above? 


a. Committed to memory 
b. Wrote on paper 





Pram C: Cognitive Questions For Passwords 


The following questions were asked in the first questionnaire. 
Please answer all questions with a maximum of 20 characters. 


J} What is the name of the elementary school from which you graduated ” 


2. What is the first name of your favorite uncle ? 


3. What is the first name of vour best friend in high school? 


he 


THESIS QUESTIONNAIRE Q3 - COGNITIVE PASSWORDS 
Page 2 of 2 


. What is your mother’s maiden name? 


. What was the first name of your first boyfriend/girlfriend? 
. What was the name of your favorite class in high school? 


. What is the name of your favorite music performer or group? 


8. What is your favorite type of music? 


9. What is the name of your favorite vacation place? 


10. 


11. 


We 
12: 
14. 
|e. 
16. 
ie 


18. 
1 
20. 


If you could travel to any country in the world, which would 
it be? 


What is the last name of your favorite actor or actress? 


What is your favorite flower? 
What is your favorite dessert? 
What is your favorite vegetable? 
What is your favorite fmt? 
What is your favorite color? 


If you could change occupations, which new occupation would you choose? 
What is the name of your favorite restaurant? 


What is the occupation of your father? 


What is the last name of your favorite college instructor? 


+> 


LIST OF REFERENCES 


Ahituv, N., Lapid, Y., and Neumann, S., "Verifying the Authentication of an 
Information System User", Computers and Security, Vol. 6, No. 2, pp. 152-157, 1987. 


Avame, S., "How to Find Out a Password", Data Processing & Communications 
Security, Vol. 12, No. 2, pp. 16-17, Spring 1988. 


Barton, B.F., and Barton, M.S., "User-Friendly Password Methods for Computer- 


Mediated Information Systems", Computers and Security, Vol. 3, No. 3, pp. 186-195, 
1984. 


Department of Defense Computer Security Center CSC-STD-002-85, Department of 
Defense Password Management Guidelines, 1985. 


Fisher, R.P., Information Systems Security, pp. 97-120, Prentice-Hall, Inc., 1984. 


Hagopian, G., "Planning and Implementing a Security Package", Data Processing & 
Communications Security, Vol. 11, No. 1, pp. 10-11, Winter 1987. 


Hsiao, D.K., Kerr, D.S., and Madnick, S.E., Computer Security, pp. 43-105, Academic 
Press, 1979. 


Kaiser, W.G., "The Making of a B2 System", Data Processing & Communications 
Security, Vol. 11, No. 1, pp. 19-23, Winter 1987. 


Kurzban, S., "A Dozen Gross ’Mythconceptions’ About Information Processing 
Security’, Security, IFIP, pp. 15-25, 1983. 


Mantin, J., Security, Accuracy and Privacy in Computer Systems, pp. 127-141, Prentice- 
Hall, Inc., 1973. 


Menkus, B., “Understanding the Use of Passwords", Computers and Security, Vol. 7, 
No. 2, pp. 132-136, April 1988. 


Miller, G.A., “The Magical Number Seven, Plus or Minus Two: Some Limits on Our 
Capacity for Processing Information", The Psychological Review, Vol.63, pp. 81-97, 
March 1956. 


Panns, R., and Herschberg, 1.S., "Computer Secunty: The Long Road Ahead", 
Computers and Security, Vol. 6, No. 5, pp. 403-416, 1987. 


Pfleeger, C.P.. Security in Computing. pp. 75-83. Prentice-Hall. Inc., 1989. 


Porter, S.N., "A Password Extension for Improved Human Factors", Computers and 
Security, Vol. 1, No. 1, pp. 54-56, 1982. 


Smith, S.L., "Authenticating Users by Word Association", Computers and Security, 
Vol. 6, No. 6, pp. 464-470, 1987. 


Spender, J.C., “Identifying Computer Users with Authentication Devices (Tokens)", 
Computers and Security, Vol. 6, No. 5, pp. 385-395, 1987. 


Wood, C.C., "Effective Information System Security with Password Controls", 
Computers and Security, Vol.2, No. 1, pp. 5-10, 1983. 


INITIAL DISTRIBUTION LIST 


Defense Technical Infarmatian Center 
Cameron Statian 
Alexandria, VA 22304-6145 


Library, Code 0142 
Naval Fostgqraduate Schocl 
Monterey, CA 93943-5002 


Mashe Zviran, Code 54ZV 
Naval Fostgqraduate Scheol 
Menterey, CA 93943-5000 


William J. Haga, Code S4HA 
Naval Fostaqraduate School 
Mamcrerey,., FA J35995-5000 


LT John D. Hulsey 

c/o Howard A. Webb 

4200 Kimball Eridae road 
Alpharetta, GA 3OzOl1 


(ates 














DUE 2% Cet. o 


BA Ves. 1 noeoe ) fh 4 SOC, 
MOLUTEREY, CALINUHNIA 98915-6006 
ae ee a _ - 





283865 Hulsey 
i Cognitive passwords. 






















SL 
A Ee a ry 
et ; Or ee ot ee ee 
oe eee e pte we Satna Lao ok Rey er 
PPS OPIN EO Y re See ye ener Alc ere pM etd 
OO Ry Shes rene art PtP ert lee ta ag eet 
Ee SLORY Ge Peeve So hate 4 ber Oe er ee eS 
ee Sa eel ph 5 fy = thesH8885 
ry : 
f CY 





| err v) 
ck Panett ttn lead epenitdees qoute bb thant beanie oh 67" . 
Ber SAAB SIN On Yb o> Sp yo rh 
Lo i a | 


Cognitive passwords : > 






“ae ae 
= Ce can eh Ae Bee eine oT ee 
| Put Fe Cae ye Be 
ee ache tolpeinow eigmalgeat aber ap en  ebet SS Fe he ea Ks a <r Pipa hg 1 
ee et eid he, petals Aneel, Cd a Sy ee) 5: " Peery “ < or ree 
7 td ‘3 o> . 
o , 


See iepapeetebrpeaial 
pare pene ere fare re TEL ry : 
SS en oeepeclib ager = ECU PN Seer Pein SCO {] WEEN EEE IES EET EL 1 
aera ye oe paar ecw s } Wt tel { | , ' 
ee NT Amada dete chats Gi 6 Crh Bap: late Le Rese lee) } | | | | | | | | | | 
eT rea Te POEL Tapper prea ero ripe gre Alert tty , i | | | | | 
SO en sch th athe ehe.rd a0 tae aaa A Pty er Se ee , ) 
ooo EAA IDNA OL IOS oe Seatac pre “4 | | | | | | | . | 
- a Lees Oe ee eee phe cy. piles | 0 | | me 
BT ee | > peedapenpmmtin ama iar ead aber tate eopery Fe TR ge onlin oe oe _ ea | ! | | | | | | ! | | | | ; 
Pe 1. eee ; , oleae hlicge ye | i { { | 1 
= So, Pea T Rees ee abe Bans oo ren Apes oY : | Wt 1 | p : 5 o , ' as , 
ee ed i a | ; | 
alg eet OD AIEE MEET SNe 3 2768 000 90774 5 | 
CO a | 






















































































































































































































































































































































































































































































































































































ee aa ca 
Renee cae an upree=y-aaiatnp> nin aetna 
RN Ee NT ee se aeeiateaenamay TE nT ne a “4 
A = Bote Doe 
Dono Spann TENT SOR EI ION 7H Dat rem poe ar Ca St wy tl | 
eT TT tna ammaind abetieheiiaameeala Te ee ed a help Nh eed 
Ue Shap on damcenemeees ree i eee Habis ORE Sen Nl DUDLEY KNOX LIB caged 
aaa eRe peamenrepeipnp a esruene heey OE ICR Parr pen Ly Bw are eis re is a 
; ee ee et ak) pone rere eT ee eee clea hie hipet a] a8 5 : 7 1 fl 
en alah aieamanlead LL sea a copeemeee ht bl tame rete * re7 £)s mOe MO MMe « s g : Io i 
ne net ea I Eye) peopl ponoepomp sae fee tober pe Wb, Url eae Oy Ang kad oot , re y ; soo. 
Sa a AEA Le WOR Oa eeu OSI TET WY YMCA Ue 7 Lan Bera reat Att a 7 nl r Pat Ok t Par ae” Aa is f 5 
poten pe Snr pee ed Sen pPeeeer pbaD ab Fh Aare te A orate ite p try y + tt ees r als fig peo. F roan A Late " 
emp: ep mee ieee eee es ee a i # Lah Pt 2 p Pee) An ‘ , t an P A 1 [ary A oy nl 5 
gro eager omega ey rrr ere ie a are uae (Ory ae ; ae Ae We f ee esl , 5 F 
ell : ed : : , ” . , } : 7 * 
2 oe ae aemeepe ea eens aries nell teh ert Parner eee A r ro ie rrr 2 L Fy a) y ' a a) . te ; 
pe ee pea prime gs Aitah-4A GA. © x ies San a ara Un Ph leer eee Ue er ‘ F ae. 
EE eet er le PSS TASC a RET ERI IT peer yer Ler peer ene Seer aC e Me =a ae 1 F eRe occa Fl 
Taper ae worl pL pamp parepee paper pte Pa ap ie Tein bor Ea pee FF Peal tee eae a - . Tare. (96 a ; oe o A 
Reon ee ee ee ala a ye oe ee ee See ee) i Fe “4 a ee i A ' aC i es ' Fart 
agi er tel nen Fe Te hye ceahetedned AN pes Pree ied art } ese ee Panera we ‘ ; ae o 5 oes ae s a , 
A eee 5 ‘ mee d F Fi . f A 
[ae eye tT eee Tt eae L be panies a a Pr rarer i eo. ea ” a i i * A A ays . A ; fy F 
; Nee he el neal ta on eal erent apie panded padded rope yis he ws amped rye are ria an ee Oe ee + (2h td A ad t i ed ee | P : . ° ; eens 
Oy ntenainanapdnenaet a Pome Seen Cy ee oe , As Aer re op cae Oe LS a Cit ed te fee P - : Cet re mer ' ' 5 
Sa aR TI ROR, nT NAAR TT INT AP AES ee ee ee age eae ee Peo en, Oe Ee i) sae He BU a A r i Ape Cea er rian heir e e. , D P ; 
4 penn ee ee ld at oe Cee tei babe erate td PEPE OTT oo Me od orc een Jnr Ae: cy OP | uecImOSr Tear aes ACT aL A . , : 
Fe een oleen one tno p ye EPP Sara BP Pe eee Hey PRY ey ae rare Pees es f ei 5 sf ae hapa ; : : DI = p F 
re ee) cea lalelmenapaagiens OU Ohad mel.) ab Pig : AL abd a , ' A ' 
FOOT arden wep P TERROR fh ser paapeel ore cee oh a F 2 9 OP ere Sree eee a aa a s a are : 
ne ye net danasremmnhthytatethan ~aepelietee) rae er a7 fr ern rer are rir ar Reece eda re Man raid piss re) Pio , Pe ee Cer Fl a wig 
RO Ie ein PERE ine I Pa ee ee eo ee eee ee ae ae Cala ec te ek Hehe sel eer Fi , a : 
Se mins Fy prtarny PT er  ) ieeke et ae ia able er eer Peeper a Pea ree bt He 8 Cli | euane Pi P ons A rn . oy ' 
eee Sale OE API ee LY ETO ES IY eS Arae yg? pier iy aay ae a 73 Pa els ee 3 : e141 : ' 
a I et a tengiaed pose er tar Veneer i mea } ce ee er Paes b o 4 ae | . , : ae) Fionn et y 
io tomers Ceiaoe wasn eatet-eenganhy F Reais t crinatetll anes ollie tabetlaind cog aap ey Le dagen ht Mes Pern 4 A oer pee Ls Ut : ‘ ’ aur f i rs 5 Le H 
A I eT eee area wre ees Ty _ ee ese ad ‘ rar Fy "ho A . . F 
a ot in ot 7 Ee NN ae ait eal ae af Oe yr ae ee Ui a | ° ee er ‘ 
: Seca pepe hol depen degen, Speen A theipd peeryel natalie ; Pe ek igh at a “ee 8 > rr i) Fi , sp ; s - . ; = 7 
aie eieiatatlreieentibees 5 ¥ p A 
OT caennepel <a et epend yep ere peer eres preety tah ae ated ee | a | hes SLT ri . + Oy i ry ; at i rs f ‘ : Bos ' s 7 ea i ' 
ip aa = oe LNT ep PA a aye IE a ee rie ea PBR pd ood LHR WF Gt gM at oe reared LaLa F F F ce , 
caer maient G “s ray ry pene ees TY i Pe Ce ee on ee | mu Pa ae | wa | erases ' Pi me r 
ne added ak roan Le cimadaieathen< dole tga A deltas. ae Cesare Marte chclitl Fe F aia s mpee " ee ee ; 
ed clap EO Ca ap a PRA. ENON Be OTA Loree Sete en Meld F Pe ee tara ee | rg f 4 se Le hae te : : : 
Ee cn GA PRES POORER DE faa at ee PR te ae Pr A ERC = MRT FP ‘ fy a 4 char Be o f ry rar ; F ' Pa , i 
ooo FFE SS SPOOL PapeeerS ety Were we Tr rT oT) Reed ee POL re ee wy oa ; : Ca og , , ; ie eee A 
rena prenapting Nk area et tele ed ee ee 0 yD aths Stabe | din i re er aT . . bs “« .e@eree A F Sah r 5 a 
ee en a le el ee eee ee bite pry ere ty ey Ye ee Se i oe a ze Poe bee a ee ' H , 
PT Te a atria el eae ee ee ed i lee a ee! A i br Dad te ve Pare ary er ) . i ry ry .' a 
Se ain panimnn intone Pine cdeceethaen pt heatealieead deb gud aatcndeieh anomie dk et eee ee P 4 Ue : Pa LS tet fea ASLICY Yat Cea : : y - i A 
SN ee arp OT ees eee a B Pe Tet ee ee Ca ad - ia ‘ A A , o' Ce * A A 
eee kaneis! pS age: <n pole abe penmmianiedep pete aw det po ee ee a = oe 4 eens ong A y Lh at ie gue ms 2 : 
~anuahat- amateman-paipapnrnatset pp asainate ghia loan ee en hdl a dpi REA iol bak aa a 7 3 hs - he a wal ve a ve = a . ; : 
eR se 7 ate nh oh taAonattane Hed.ynass apr ty pe era < Se WSR SSN eee y Aree es OL f Lata s o¢ ard ; ’ 
Pee deeenieadadenapaaeaninaaiapaadalend 0 areal pepper reyes tera SSO ee eR 4 a od pA etna aoe , ve he : ae : : 
ty a aan aia ‘ TT ahaa sete dade CO ee oe ' 7 8 1 . iH , ig 
ore | ale peer ebanaaanelne neha ew rer) ais rears sal : FE oF oan pes ae ae a 2 aay s a vie ; 
ee ee ee ee i crits ad oo a 4! -- F 2 car A Py i a? ‘ Cy a 
Ped etd a - ¢ PoE =a z ¢0 20 Ch vn Ld ad A i 
coe tar cea ob at emanating hvac’ frexgny. me be rw qcad aioe efnsbcmaaink® per - A a ee pi eae G u 1 i i ii oA a. q re rae oar A n rane 5 Vin, - ror , a) 
7 J ees BRA SG OO FLT Pose late lt La tata aetna al eal ke a Le Te i Cen 3 a . Aa ce tat eet Ls Aaa Ha | Pr er ae : ie a ’ ss 
PE yt a ae Pew ee Td ahead bel ye a prdes Ce eee ee ie 1 0 he NATO cent phot : A eRe ce Aa FE ac .o4e : "8 
cinerea nackte sore a ee rt ds Psasihed Pe a a ae Ba A Py ut Che ec ry Parc 7 an a p ’ set. a a8 O 
a a a die ae na cage 6 okies iT thay ‘ art) re re ry o8 ee en eee i ee U n ; o 
: ee a oe ordeals | hh Sap Sgr ne a cei rae 1 ell alee ae rte aU ee he Parr ciee ~ 5 A 5 , 5 
RRO e . tot sages eee a eee ast: ep rT. i Pe | Pe ‘i bia Tied . A rer re a 8 n 1 pa 1 Pan . 
ee Aedes mae cong ide n gee BP eC “Se re p Cunt Pet WUeometvoe a Cy y ear aa Ae aie ae f Fi 
FOR EE “De Pa oo ent Lt aeden J gel PCI a ee ee Ly Ppco i) Se Co Pr ate ne Ca 
eee aanpumatena sent ep pe dere a ete" ahaa cae @ Mataherad | SL tO cap ALSO tt SEBS AOR arveel : ea Ls F : y 5; 
a eT ren a stati ener ry r oP Or sil F or mde any 4 o bade a rf Ce occ) a ee “9 Bae Pa ' Poa Re pd to er rl 1 A ar) - 
. e Reeptayyr! a Pee ed os aud. W- f re if re : ” ny a SA LU 1 8 at arene ny ' Fy A 5 ', ; 
Sea Pe ot eee Cane ope a aT} chan ty, fable Loa poetic LY ME a AP eh) a acid ad nn lg z Bed eo Oe ra Paar a ; . ce 
Pe Per ee pr yey = OE OP SS ere Ce ee a ee ee ee Shae Ta Feces Le ee fon a, o Fae ria ee er - 
ea chcaonarlen ietasckon ahead ws * 0 | FG? 9 ye pee a ahs Py Py re OSE a 7 = SE a im i rn) Seton ee er] p P 5 A A ot 
moments engten bone iva te Sing we ao SPI ee ES ets ees wee meas gost 8 aie Ae were) e ne Daa fear rE = ree At her o A a pI 
SNe awe aa eae . 2 cag h beatae.) FED oe Y oe we Pr ee LL BURP a iret pe SiS aR o f , , 7 
- ey ew rs ‘y Tay lieth aati) war Cart ee Lak erschaniedas Hohdelee Pa ea) Ae ra 5 UN tf aes ' an o : i 
pet eS Fe et oe «| Aap ee ee . ws ve pe . rey al Loe Cn A . ; o , Par 
TOO D ES wpe re acinar atdedan 4 hea? Fok d ss a0g pie, ea a Births Paar ie sha aueecaie cts! ve Pe ie r 5 : e uo P , 
a breccias pra eee prot eo w mt bee OME Bet eS ere eh cy ean a ern be ce mt ee ee | 
aad edhe dln geheehde td dt. rp decings dey att of gi Giaeye Cob * ce DOL Le y 3 ‘ % ‘ Ms ad 5 . : eas ' ce i. f 
Sree a een pit ery eae” Sat. Tire r bd peas 1) pee pe rid Clee ee rhea oe Fl F 7: aie o - aie , ri Pree ; 4 , 
sunbed t al 2, aR, AS cee ey Gs : rs or a ‘tas : J (Ge eee me are ee tate oats ‘ 
Pa = f Saar | an © o t J or a o , 3 ' ' i 
PN me gee oe era ae ea Va pee: |) Fi eee et ee 
vain at ipl a oe ee ee ee) ee wr [ader ines e Te Py . .e ee rer here eretdae a on ‘ A ar , - 5 A 
+t OP O6 bie we S oets tanieal-teaaktd aco taal ok ae ee Glico > ee Perry PI (hee dee SCAT 4 as ‘ 5 J 
—aghal Bat es a th Os escaat-sataiadtalt te ae UF alt-aal 5 we wrodgrvitos wd ye oF seth 2 8 oi ere) ar on oy Sy Ly ‘ o A : A : 
ol as — 2 be sal al 
Ppa pie ed tae bed Delher oae seybeh pete at fe aE yo iar spines ee Ce ee - Sie ro ze ee 
woes ae Pa en wr ier Ee eee ee er 722 oer ed: teat t is re Pe aa ' ri a ws ee An o oan A - 1 
er peer D ae Se otal fr ae ee a aS ee Tees) Ce ie 3 Ad . ' U on | . my ' 
4 Pd dhdetnd or cht ett Pi Bat and et foe D se »f o4 i 
er ere. reed 6 bel tarp ey  rd Le ges: baal 4 twist F Ps : UU A cd S Pa ' : 
ae SE peers : Pad Ae : Pa F . 
ere ne are = oe WR ened yd tes E ig ahd o. ; 2 ones 35 . ‘ a) Pa " : - : « a 
po i et ey eee eT ry = Cie eet ee er i. + Ones A x Tea ae ; A r 
SN Literal Pad oo a‘. eC he Iya aha F : ee * er] ‘i i ; 
oe aE ee ele ee ta a , 
= , 
een en an be ae i oe pee oa 
a ee ee ee : 7 oe i 
Per See 9 EP Bt . : « 
aie Bsa oend emi oh iat : ‘ n 
lanolin athe a anaes Jou x One as ® 08 
PT ee a et Pe : - : S Be a 
et ie Be OE : ue : 
a - = . 2 . . ' 
ei te ee ~ t” . p 
2a 5 Les ed ' Ld 
eee he SP Pe ee ike: Os ae , 
7 . at te ed ' 2 oo Par ; p 
° C7 ‘ 
* 
f 
= ‘ FA F ; Oo 
Px i . ee Te 
i 7 o 5 
J : < . my 
I oi ” ' . ' 
a ' D ' 5 D ees D Fi , 
oe : B 
; bs rd 
Ce | Py oT . 
[a] Py e a 
. e iy : 
‘ 4 ae : o A pI 
Py ‘i 
a F + ' e 4 
bd a ’ ‘i ‘ _ 
, F ’ n 
A ' | oy i i] 
F “ 
5 P 5 , 
ae 
. . pi ae z , ’ ' 
bd J . 
: 5 
e J 
LJ ' 
7 
a : a ee . 
A alee iy SOT UES Ste ; 
ra Patel =r e cal oy a 
Ce ae P atepete (ty "Et ol, ue ae 
4 UDI sania hbo. ar Stank bo oe ca ty 
cee cata’ oe got TEL. Yo TS ar Ge hei Len oe ie Ff ' A 
ye reper ore oye St EN en Per ere ee 
Pe eta vi Foe pee gtges Shur tread * a: A a) a ee ba At eal A 4 
ae Oe ce eee a eA Pare Tote eG Pia fy eats Ca ai re Bg nigel ae P Pre 5 
Oe ee Pe bode cee ect Soe. ro eM UEC uty ' Oa I aan) rn ox ' yy 
“ya age 4 5 ay 9 eae lt pple ioe ec ce cn ae 
Spee ek ae Reet tie yy oS ew ee zy ven a om sre . hd n ci i rs r) , eH ry y r 7 
oR ee Ee Oe ides el algal La lal ds PS F ° Aen ye om) 5 , Sore Sa es S > . 
ote 6 aaah ote ei Hee Lio hep chased So a 4 af , ABR ae ‘ua re y sore pas " i 
ee ee ee teed ee nt elt shai i bla led a te ¥ +. 3 : i a) . Ce er ets lla avs Y er 
Ove myst sap? a Petpet ade Sa-e Ms ie a Sly lag Os ee Py iC fa Te OP Le he Se ee 7 = fiw ae pen 
Galt Gl Reet 4 ee -6 A ae OG SU ath ed lace’ age Sk s Ce eked Cn an ry eer mey “a al ‘ : : U 7 
"dhe a a te Oe ee Saoled Lah. pep Sig has la hale thd CY ae Fe Per > Cd r Pr Sart « ry etc ate dade Pe a : hae oa A : 
a ee a cous OT es te eed een oe Lyi tbe hd) P90 92, ee . a - is IMT so4 Se nr eee . ; 
TT. Sher wih -tpbte senda ties tag bs delhi ay fi PU ee tee | ae ds x eee: eee Py : j A e a a . M o . . 
sree no he palm Saale sie ited z ool) alae ere. J 7 a rishera ta en cei be nN 5 5 
Ae tips C heetibinn Seether di — Maal oa aid o% 2 “beet ai oh Le dash ata ae m1 eu « Pie 0 tONKti eg tee HF oh 7 Fle 
ne gia asap Aen Spay ad hl is bag a ees COO ey Aer Ste w 8 bee age ou sar ' STs : " 
eee SIS ee Oa 6 ene Pane} CRON Ty aun Le et Cae ye A “ae ‘ : 5 
Eas am hol a Up eer AN Ves Se ary .8F = L Shs “ oer hb 'oAre ne os ' ory ae a a bl : ' yi ' 
<ao=o-ae Sal id an ehee anlp-ceg Mleiibenetrd der beta tartan | a > a tha | Tat ek bhai ede 1 A - be ' S 7 > o 
spots eg heeled began eis poe Gg) neg SPE Sk he AS » ee La he Ch eee ares ; : AT ‘ : beh o o > 
5 ee es tS ne yee ee Par See on te Be x P Sal rT We ee ee nts oh 8S bh a eee! 1 
= oe papoat Pt er iterate ai Ona a ar athe SE reat) Sibert ee I JO ei Ge Be U ACCC . ra 
atl Aa earring happpteiplagge. toe rere eae ee oe er ee eae Pee ey nr ee Ache Care A fl ee : m 5 ; CL : 
=a “er .s poy apenas ry Po oT) . a ethte er ae bd roar * yo A ' e@ 
oe x tree tenia eet ee poe cr tel rt rs PRPS bahay ab : pepe Dad “3 4 Poe ore Lh he Ve rey ' z i ar = $ pen a . ‘ : : he ny 4 ‘ A 
per Mapa se _ ee fi ‘ be he om oe Cas ee ry h e Pa Py : ' i . Fi Py ' A 
to Lelie tain Lealeam ta teler tly Iie magdiatehine hn. bo te TL | F bea aaéet |. Pe . OB rh ee Pri ‘3 H i. so Gue 4 be . : Md U 
rea an an, Sorlppy yee bastard ele ag Fest ONL, a 5 ne ee ee 1 ee p ns 5 aa ’ ; 
oe ee ee eee WeAd eye Erase! > a 4 rarer ment 8 j A 
say te elem 9g Seb eet weet tie! ele ea Tee ra i leh aoe pe Ce ees eet ae , ae le este rar ‘ ; ; 
- ee eee Pre P A i 7 eT) oe as A Deveney: WOE: a 7 5 A ' 
ey tt ot a ck ae ee ee 7 Pa ry fy are ee ed 
ts 6 pec tay 4 op ali ler a el Te ares he Oe fe Ae haba. s aN o we OS PM Se ER oC aera ee es L © “aXe . An atl 5 7 . n - ' 7 
a a ty oy ors rt iy a valk mn e aes iS a . A - . 
aptly ag ing eee’ Sinaaenin > Labeda Mi a Re 3 ied ees Cra. ¢ a edilad Careers eee re ae a Te NG me ee Be 5 
wipe ee ph oh ep lag’-~Tonlip boretdd ero tet OP Penn tabetha, a eat % Weer 4%e,0.1 1 Ci e Fi n rl pO A 
ae rT oe tenia hee eieke Pere nr et Le) oe Te oe ou SOUIUS OME CETL Ed a es re 3 o 5 : 
Fae et te hk So tat be Yad SER a, te CT es OR Pa Ue Ta Parry. weer a Ja . , A : 
Geist niahet bitters LT, deed Senthe,) onthd the, ie sep l aaN ba ty een Seaert ih be ; 5 ; 
ee aed P hestietiatads hd hi ly he a ‘ Fi y 
ee ets tated ie ee ee mse 8 Pld Pay ’ ” o 
G ; ns 7 . i fa e + eh ‘ 
eoieenyry come param anor ae amen eyes trans Peet eater i tee Ms re) Pep bro ed ste : Pyke , Oe s 7 ‘ 
4@ we BUSSE Ht" Dac Cre rt et hale Shed Be Sd ¢ a ee a el PhD H ‘ ei 
eri cache eet age peer eR ETT Bleep at ee es se ierestzes erie Abe im ie . pee La ae ea : ae 
slathlep sa rower ap bed yea re! 6 0 Se greed BHO re mH ETE TF BEe fepe ebb ttt A yteves kk soll a) 7 
SS EST GOES SR OL a a arr i) Ot Arne 
eet dp recy tee ape, pees tepid lS iS Hy a saat ieee Fes else fess ty'7e, 1 oie halle @ . P , e Fi 
Atel LET eee ee eer eh PO SLE PAR hia Sel Poo rieetie y , ' - , 
Ce ied deel a ‘ c S 
- . Cee en ee Rae, bd oh dies CER i Cae eet ee a Cr z i o 
on ah Bi eh De tah tee en ete piel deh Mi Son Ehediad are HY A ae rae ee 
phe mp teeny aasadieets ge! keg ee err a eit Ri. Ee ik ee ee ‘ y 
: ee err tt = nel ppl Lead ys geuiaceree Php 7 Brite oe ris ae roe ’ 7 f 
Beret Dan errengeess cevoratoneras' Mpaveretehergr senate ree srt te . a See ica jak) 10 aes ae ye y 
Ss aad atten Satelit eed php age Aghey lay t 1e0/8 eee neree a Me rea Be. ale bees re ere Oa ar ; . a 
Sd tenet ined fet eh id H he Fics ee hele i. T Tt ‘ e408 A 
Lastest dean Meth deh-ten been tele Tre te ee Bate Taide a ee iy Bh | aries a Pha EI F p , 
¢ mae steers ere 0 feferes uit PPT 6 mae Le aT aS ig cack si se H se 4 i sd a ai ae 
net Yt ye hes =! ah t ie AP PCy | & Se er ate fi un Maer -< fees . ee Ie ¢, 8 Fy : i rl 
oe rant co ct angling or or bepabepaar het TTL eu Pair a tar Oe Tyee, on we a) - Re - i 7. ae hae ; ae " 
rae peo Le pla hp pp: edie iy ey Mb st sdapdagbe: ie et meee Ok “es Cie a en ee ee a A 5 e 
Sch hierate ath Ah et eh an ROO Pa ey Naess ony 4 ws Sern, Ha aie OT a A >) EL BI sel , 
A ek ed fii mei mo Le! : 5 ¥ $ 7 Cas yt i Seg s y ’ a ry ry . ' A 
Ty) oe ty be ad) Pe irae Wid Ye he ee a Pr 4 A Pe ee; mr Ae ' ry 
peape-ne yeti Mc eal Apclaehes Cea) rf CSE aid Se Ke Sil Cer er eres ei te Adie acl BR Dat Yate : F CM eS Niele een ono. ie . p 
Minton errr oT Tt Rice wpe aby. ha eat 4 athe Bech hs Oe Rhy 4 she oy SF e site wae a ae eurg F f , . O f 
Lo babel cet hen daeriel tel ew "RITE O88 , ili Ls A . efety © te & a cr er - 
Q Store Se be paces i hinditee dom pdy *e:e7uret i Le A vor et, es Tae a wb eo fl 5 he ree eS * o Para ia Fe ie 
wr wd | Bien s Ue LE a e ie Fee ial) ' 
Sno cliente Yen The Lethe Lt dati Gul pst tp FG OF OBi; CGLSVO" OFRO MGs Te ate. neh dtl acne! ptt bt had Soh Te adil! cinesns ee Pan a a Soa ae Ur CAO eet : 
@veson ee ale ie bee ee RS bk ee hs Pe ied § ae] H ereee «0% ‘ nl . o 
pr ln ty ee Le ALY, a 4 te ee es Rt i 7. cr we ree pS) al a IT Phe Pansy ke a F ” Ca rar 5 ur 
erty htt sade A) ere ee te Lee Trae Pee A ay Ja) ae a . f A - , '& paar Fi 
soca ee tcle aap carat gles baths rad ald eg teat DR Ss ie la a a poe at ar wi ae a ae A : 5 ; 
Peet eth Later tat ae aa a “een a UE pte “ : aes : : ' s i i 
* = e 
eer Tp aheemaneeeeenppdg "aya ER - pe REE ES eR eR eek RE D0 avines Pee , J : 
‘petra ee Ly Vt th ae a 2s - lade le 4 Pp Same yet et. PP ery Shee Ls me | , ee 688 ; .f 
eaten Np frentetng ty agg senate Se ec te ele TiO OPy OTee? ey PoP Pah ig Ta UC) TI eed , F t, uy ° ios ae tad 
2 oer neers . tthe tit i eh he | 91 ME Ral otes " z Ye) raat) are ~ ve amhn i i a 
potdptonevmyey tare Be My Apa e-yaa yep hae A PH Hn tte Eee et Or Re Ca er wy): ae i a ee ae ; . 
Tr iat tt. aad Cle hed ’ vere a ar | “\ Ch om 4raly ary ta j ww om ta Fi A a A Py . ar 
sey crecerucnerermnmare Wu ere arn: FY Dh Teed a cov FU Sah Ah ea he Del OIC eNO aa F 1 Nay ali aaa ae y 
omrernzere'e wearers Py aay lase Seta tar er, La) diet Ay Pld hal /| x Peake * lis ‘ Jee tp : ar | : ; ‘ 
et ta ts Lect Io, Siellieden Misiiae d tethey-ddbeted © O4%™% Sieh file ee a al ge n siete bd 5 : Li A cae 
Cte Mitte true te Mah il Se teel Te a ad A a er ade poe retess 8 tm beh 7 Cah . 8% ek r ' me A o 
r arnt eg ehh nod qs year @ eins @ grestensorr ree vt ad acai Ta a se Mt UG " 5 LS y / F e : 
ry Hi d PS 3 a e " 
ede id hea LD OE i he AS Sy be les os ae Lh ree. pitta i LO GC og een ee aL : 
roe 2 4 Hema bp Yat tian) ee y Cafe ms om rer an) ‘ Sey eae q! ik eee - ; a i a rey ; P oe ; 
ral . 4 Co a 
Tiss a tots | he a ss oc oe r ou wy iz , A Pi ae Ay A 
ee Age ih 
J a ae | . . ry a 
teeie seve ee LE LT Fg cae F y ‘ J 
Ae. 2d . bd 
eer Lt oe et ek Se hk AA th Jad Pe yi Pl F i sy ° H ot 
ee a La ble fbi, id, | by Bt a ! a a Ads LO torre : un a 
Teale’ AD cbt teateeed ett la Shp he)? ppl A Ee Ce) ¢ e sani uy - A 
eblde dtd sided ia bake le Ra Ld ‘ Len A ; s " , ‘ ‘ ; 
on tebe oe Aball lard keg adhd A pence srmenrnet =: ale EET ke ey Retw if) & Coege e % M UH o i‘ t “ / eee ri 
Ag ee Loe Li See die Lor te Mibedid Py et ro Ty Ye MO hk ad ts he ee kt M0 we 86 6 Gaetigg ce al if Aeris Ld Ly Cry bs ie ' 
nen yo fo te ort tet « Tt fe th Ta Ree ee glee = r See F F 
ly open tie pt OL ao pha ie Rts ah th caraeel unde oii hel) pe Oy Le eee tp ODE Ae oT ae Fe Aner Fi A 
lh an rte ey wort ab Af Sap Near pe ae vow ects yy AE n : y . 
7 bse Mian) yey do H aU ae yi ’ H n 
TA Walde date ded co A Oe me keg ° wr ut ee - : 
Md Rulensy son LI ARNT S reueed ota Fe le eae Le Lay fo a eee ‘ F 
ate Eat a cea aed tly ALIA A bd baad 1 S ebdke. tee da Ne ad a ad et ae, Bo au ' 
pet ey TC At Hh, VIM Re! ose TTT. ha Ny - F Pure - 
Eads Soll ot ah te) Ad adiabade hed oy a % i Me) ere@eas f 
ta Ta A aay! LAA de le) Darryn aree wt eR glad wr eR: eS n 2 y ‘ ra : 
ee oe deed od : ' g 4 0.0 a a 
Pa eet Smad eS mat RADA fda) ‘ah A oS al fer irey TA nl sas = ’ 
op peateT a ae Weds land > Lead tad re nyse A.” veep & aw Pee : u at A eee , ' 
png od es ndash Ed pal fe aa A " Se ae VF r) f 
teh lt dette d adel Y Mite Jd Beek Ade te) ® + fr 4 a: J a) . sf f ae . 
5 yA Be ta wa dace ; : pl y : 
Gitect crasene oy Artic: mat ara eek thread dad , alls P . 
eae" oe i) Mad Orel PN, s i . Pi A ri 
" bah ay e ‘ P ’ i 
Pm Td 6 Sak v . P Ae a ' rl 
Te oye ane Pe Yay) Mf . P 
‘t Hh Latta) PARAL er St olivia oe ] r pt 
G x) + & 0 FIV 24,0") Pa dd A ee) ; ; : : 
Prob AS aA | RMAs tp CLL a ae U at Ar a ; ? 
‘ a a oe Por ° e ’ i 
Try oT ee ort Np Ble sh. , rl ‘ ¥ b r ee 
me ut? q e¢ : 4 Ce 4 A ' 
i ee ir a o ar 
r | ' 
5 
e Pa A] 
i 





